peanuts - No fallback available if oracle goes down or price reaches 0

[sherlock-admin]

peanuts

medium

No fallback available if oracle goes down or price reaches 0

Summary

No fallback available if oracle goes down or price reaches 0.

Vulnerability Detail

As https://blog.openzeppelin.com/secure-smart-contract-guidelines-the-dangers-of-price-oracles/ mentions, it is possible that Chainlink’s "multisigs can immediately block access to price feeds at will". When this occurs, executing latestRoundData reverts , which causes denial of service for the functions using the getPrice function. This issue is particularly important for Blueberry since it is a lending protocol, and getPrice affects many lending protocol's functions, like liquidations. In the case of oracle failure, liquidations will be frozen (all calls will revert) for any debt holders holding this token, even though they may be some of the most important times to allow liquidations to retain the solvency of the protocol.

Impact

DoS while calling the getPrice function which will affect all functions that relies on the getPrice function, such as liquidations.

Code Snippet

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/oracle/ChainlinkAdapterOracle.sol#L77-L98

Tool used

Manual Review

Recommendation

Wrap the getPrice function in a try/catch block. Call a fallback oracle / 3rd party oracle in case getPrice() doesn't work.

function getPrice(address priceFeedAddress) external view returns (int256) {
        try AggregatorV3Interface(priceFeedAddress).latestRoundData() returns (
            uint80,         // roundID
            int256 price,   // price
            uint256,        // startedAt
            uint256,        // timestamp
            uint80          // answeredInRound
        ) {
            return price;
        } catch Error(string memory) {            
            // handle failure here:
            // revert, call propietary fallback oracle, fetch from another 3rd-party oracle, etc.
        }
    }