The getSqrtPrice function in the PriceFeed contract is vulnerable to returning incorrect prices if the Chainlink oracle's circuit breaker mechanism is triggered. This can lead to users Trade the market against assets at incorrect prices, potentially causing significant financial losses and instability in the protocol. This scenario occurred on Venus on the Binance Smart Chain (BSC) during the collapse of LUNA.
Proof of Concept
When using the latestRoundData() the price of an asset deviates significantly from a predefined price range, Chainlink aggregators activate a circuit breaker mechanism. This mechanism causes the oracle to consistently return the minimum price instead of the actual price of the asset.
Consequently, users can continue to Trade the asset, but at an incorrect price.
For instance, consider TokenA with a minPrice set at $1. If the price of TokenA drops to $0.10, the aggregator still reports $1. This scenario enables users to Trade significant amounts of token, potentially leading to bankruptcy for the protocol.
Tools Used
Manual Review
Recommended Mitigation Steps
getSqrtPrice() should check the returned answer against the minPrice/maxPrice and revert if the answer is outside of the bounds:
(, int256 quoteAnswer,,,) = AggregatorV3Interface(_quotePriceFeed).latestRoundData()
++ if (quoteAnswer >= maxPrice or quoteAnswer <= minPrice) revert();
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/PriceFeed.sol#L45
Vulnerability details
Impact
The
getSqrtPrice
function in the PriceFeed contract is vulnerable to returning incorrect prices if the Chainlink oracle's circuit breaker mechanism is triggered. This can lead to users Trade the market against assets at incorrect prices, potentially causing significant financial losses and instability in the protocol. This scenario occurred on Venus on the Binance Smart Chain (BSC) during the collapse of LUNA.Proof of Concept
When using the latestRoundData() the price of an asset deviates significantly from a predefined price range, Chainlink aggregators activate a circuit breaker mechanism. This mechanism causes the oracle to consistently return the minimum price instead of the actual price of the asset.
Consequently, users can continue to Trade the asset, but at an incorrect price.
For instance, consider TokenA with a minPrice set at $1. If the price of TokenA drops to $0.10, the aggregator still reports $1. This scenario enables users to Trade significant amounts of token, potentially leading to bankruptcy for the protocol.
Tools Used
Manual Review
Recommended Mitigation Steps
getSqrtPrice()
should check the returned answer against the minPrice/maxPrice and revert if the answer is outside of the bounds:Assessed type
Oracle