Open code423n4 opened 12 months ago
The implementation does not set a min/max value by design. Also Chainlink does not return min/max price as per the AggregatorV3 docs HERE contrary to the reported below;
ChainlinkAggregators have minPrice and maxPrice circuit breakers built into them.
Further proof required as per the context.
0xSorryNotSorry marked the issue as low quality report
The warden is actually right. It is a bit difficult to find, but the minAnswer
and maxAnswer
can be retrieved from the Chainlink Aggregator, one step through the proxy. A circuit breaker should be implemented on the Moonwell oracle so that when the price edges close to minAnswer
or maxAnswer
it starts reverting, to avoid consuming stale prices when Chainlink freezes.
alcueca marked the issue as satisfactory
alcueca marked the issue as primary issue
alcueca marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Oracles/ChainlinkOracle.sol#L97-L113
Vulnerability details
Impact
the
chainlinkOracle.sol
contract specially thegetChainlinkPrice
function using the aggregator v2 and v3 to get/call thelatestRoundData
. the function should check for the min and max amount return to prevent some case happen, something like this:https://solodit.xyz/issues/missing-checks-for-chainlink-oracle-spearbit-connext-pdf https://solodit.xyz/issues/m-16-chainlinkadapteroracle-will-return-the-wrong-price-for-asset-if-underlying-aggregator-hits-minanswer-sherlock-blueberry-blueberry-git
if case like luna happen then the oracle will return the minimum price and not the crashed price.
Proof of Concept
the function
getChainlinkPrice
:the function did not check for the min and max price.
Tools Used
manual review
Recommended Mitigation Steps
some check like this can be added to avoid returning of the min price or the max price in case of the price crashes.
Assessed type
Oracle