Open hats-bug-reporter[bot] opened 1 year ago
Hello, Thanks a lot for your attention.
After careful examination, we have decided to reduce your issue's severity to Low. To fix this problem, we are going to add a specific check in the oracle flow on these minimum and maximum values configured on Chainlink side.
Github username: @https://github.com/maarcweiss Submission hash (on-chain): 0x9a38304e0ba222b560f2796966586f23c188a32a0266f58757943a8f0e2a973a Severity: medium
Description: Description\ Chainlink aggregators have a built in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will continue to return the minPrice instead of the actual price of the asset. This would allow user to continue borrowing with the asset but at the wrong price. This is exactly what happened to Venus on BSC when LUNA imploded.
Attack Scenario\ ChainlinkAdapterOracle uses the ChainlinkFeedRegistry to obtain the price of the requested tokens.
ChainlinkFeedRegistry#latestRoundData pulls the associated aggregator and requests round data from it. ChainlinkAggregators have minPrice and maxPrice circuit breakers built into them. This means that if the price of the asset drops below the minPrice, the protocol will continue to value the token at minPrice instead of it's actual value. This will allow users to take out huge amounts of bad debt and bankrupt the protocol.
Example: TokenA has a minPrice of $1. The price of TokenA drops to $0.10. The aggregator still returns $1 allowing the user to borrow against TokenA as if it is $1 which is 10x it's actual value.
Code\ https://github.com/Cvg-Finance/hats-audit/blob/da48577d2f42fa8c2e35bb7223208ea6ba88012e/contracts/Oracles/CvgOracle.sol#L202-L205
Recommendation\ ChainlinkAdapterOracle should check the returned answer against the minPrice/maxPrice and revert if the answer is outside of the bounds: