search

hats-finance / Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777

IBO, Vesting & Bond mecanism repo prepared for Hat finance audit competition
0 stars 0 forks source link

ChainlinkAdapterOracle will return the wrong price for asset if underlying aggregator hits minAnswer #5

Open hats-bug-reporter[bot] opened 1 year ago

hats-bug-reporter[bot] commented 1 year ago

Github username: @https://github.com/maarcweiss Submission hash (on-chain): 0x9a38304e0ba222b560f2796966586f23c188a32a0266f58757943a8f0e2a973a Severity: medium

Description: Description\ Chainlink aggregators have a built in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will continue to return the minPrice instead of the actual price of the asset. This would allow user to continue borrowing with the asset but at the wrong price. This is exactly what happened to Venus on BSC when LUNA imploded.

Attack Scenario\ ChainlinkAdapterOracle uses the ChainlinkFeedRegistry to obtain the price of the requested tokens.

function latestRoundData(
  address base,
  address quote
)
  external
  view
  override
  checkPairAccess()
  returns (
    uint80 roundId,
    int256 answer,
    uint256 startedAt,
    uint256 updatedAt,
    uint80 answeredInRound
  )
{
  uint16 currentPhaseId = s_currentPhaseId[base][quote];
  //@audit this pulls the Aggregator for the requested pair
  AggregatorV2V3Interface aggregator = _getFeed(base, quote);
  require(address(aggregator) != address(0), "Feed not found");
  (
    roundId,
    answer,
    startedAt,
    updatedAt,
    answeredInRound
  ) = aggregator.latestRoundData();
  return _addPhaseIds(roundId, answer, startedAt, updatedAt, answeredInRound, currentPhaseId);
}

ChainlinkFeedRegistry#latestRoundData pulls the associated aggregator and requests round data from it. ChainlinkAggregators have minPrice and maxPrice circuit breakers built into them. This means that if the price of the asset drops below the minPrice, the protocol will continue to value the token at minPrice instead of it's actual value. This will allow users to take out huge amounts of bad debt and bankrupt the protocol.

Example: TokenA has a minPrice of $1. The price of TokenA drops to $0.10. The aggregator still returns $1 allowing the user to borrow against TokenA as if it is $1 which is 10x it's actual value.

Code\ https://github.com/Cvg-Finance/hats-audit/blob/da48577d2f42fa8c2e35bb7223208ea6ba88012e/contracts/Oracles/CvgOracle.sol#L202-L205

Recommendation\ ChainlinkAdapterOracle should check the returned answer against the minPrice/maxPrice and revert if the answer is outside of the bounds:

shalbe-cvg commented 1 year ago

Hello, Thanks a lot for your attention.

After careful examination, we have decided to reduce your issue's severity to Low. To fix this problem, we are going to add a specific check in the oracle flow on these minimum and maximum values configured on Chainlink side.