crimson-rat-reach - [MEDIUM] Oracle#getUnderlyingPrice - ChainLinkAdapterOracle will return the wrong price for asset if underlying aggregator hits minAnswer #227
[MEDIUM] Oracle#getUnderlyingPrice - ChainLinkAdapterOracle will return the wrong price for asset if underlying aggregator hits minAnswer
Summary
Chainlink Oracles have a built-in circuit breaker in case prices go outside predetermined minPrice and maxPrice price bands. Therefore, if an asset suffers a huge loss in value, such as the LUNA crash, the chainlink oracle will return the wrong prices, and the protocol can go into debt.
Vulnerability Detail
The Oracle.solcontract uses a chainlink aggregator oracle to get the latest price for setting the index price in the protocol. However, if an asset listed on the exchange suffers a huge change in value, like that of the LUNA crash, the Chainlink oracle will return the wrong prices. The protocol will keep getting the set minPrice or maxPrice as the answer, while the real price might differ. Since the index price will be set wrong because of this, the funding rates will be wrong and users will suffer losses.
The referred code snippet where prices are fetched is as follows:
The Oracle contract does not check if minPrice or maxPrice circuit breakers are hit by the chainlink aggregator. This might result in a loss for users of the protocol.
crimson-rat-reach
medium
[MEDIUM] Oracle#getUnderlyingPrice - ChainLinkAdapterOracle will return the wrong price for asset if underlying aggregator hits minAnswer
Summary
Chainlink Oracles have a built-in circuit breaker in case prices go outside predetermined minPrice and maxPrice price bands. Therefore, if an asset suffers a huge loss in value, such as the LUNA crash, the chainlink oracle will return the wrong prices, and the protocol can go into debt.
Vulnerability Detail
The
Oracle.sol
contract uses a chainlink aggregator oracle to get the latest price for setting the index price in the protocol. However, if an asset listed on the exchange suffers a huge change in value, like that of the LUNA crash, the Chainlink oracle will return the wrong prices. The protocol will keep getting the setminPrice
ormaxPrice
as the answer, while the real price might differ. Since the index price will be set wrong because of this, the funding rates will be wrong and users will suffer losses.The referred code snippet where prices are fetched is as follows:
Impact
The Oracle contract does not check if
minPrice
ormaxPrice
circuit breakers are hit by the chainlink aggregator. This might result in a loss for users of the protocol.Code Snippet
https://github.com/sherlock-audit/2023-04-hubble-exchange/blob/main/hubble-protocol/contracts/Oracle.sol#L24
Tool used
Manual Review
Recommendation
Check if minPrice/maxPrice circuit breakers are hit, and apply appropriate procedures if they are hit.
Reference
Venus on BSC was exploited similarly when LUNA crashed: https://rekt.news/venus-blizz-rekt/.
Duplicate of #241