price > 0, so a zero Chainlink answer values all collateral at $0 and triggers mass wrongful liquidationsSeverity: High · Impact: High · Likelihood: Medium
oracle_lib is meant to be the single guard that decides whether a Chainlink answer is usable; if the data is bad it must revert so the engine freezes (per the file's own docstring).
It validates the timestamp, round completeness, and a 72-hour timeout, but it never validates that price > 0. A feed returning 0 (or a negative value) with a fresh timestamp passes all checks and is used as a real price.
Likelihood:
Occurs whenever a Chainlink feed reports 0 with a current timestamp — a documented real-world failure mode (feed misconfiguration, a market/aggregator glitch), which the repo itself simulates via mock_more_debt_dsc crashing the price to 0.
Impact:
With price 0, _get_usd_value returns 0 for every position, so all users' health factors collapse below MIN_HEALTH_FACTOR and become liquidatable at once — collateral is seized from users who are genuinely overcollateralized (loss of funds).
_get_token_amount_from_usd divides by the zero price and reverts, bricking liquidation and redemption paths (denial of service).
Save the block below as tests/poc_h2.py inside the cloned repo and run mox test tests/poc_h2.py. It uses only the contest's own source files and deploys everything inline — no conftest fixtures. A fully healthy position is driven below the minimum health factor purely by a zero price.
Reject non-positive prices in the staleness check so bad data freezes the protocol (the intended behavior) instead of being used.
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsThe contest is complete and the rewards are being distributed.