ChainlinkOracle will return the wrong price for asset if underlying aggregator hits minAnswer
Summary
Chainlink aggregators have a built in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will continue to return the minprice instead of the actual price of the asset. This would allow user to continue borrowing with the asset but at the wrong price. This is exactly what happened to Venus on BSC when LUNA imploded.
Vulnerability Detail
ChainlinkOracle uses ChainlinkRegistry to obtain the price of the requested tokens.
ChainlinkOracle.sol
function sync() external returns (OracleVersion memory) {
// Fetch latest round
-> ChainlinkRound memory round = registry.getLatestRound(base, quote);
// Revert if the round id or timestamp is 0
if (uint64(round.roundId) == 0 || round.timestamp == 0) revert InvalidOracleRound();
// Update phase annotation when new phase detected
while (round.phaseId() > _latestPhaseId()) {
_phases.push(
Phase(
uint128(registry.getRoundCount(base, quote, _latestPhaseId())) +
_phases[_phases.length - 1].startingVersion,
uint128(registry.getStartingRoundId(base, quote, _latestPhaseId() + 1))
)
);
}
ChainlinkRegistry.latestRounddata pulls the associated aggregator and requests round data from it. ChainlinkRegistry have minprice and maxPrice circuit breakers built into them. This means that if the price of the asset drops below the minprice, the protocol will continue to value the token at minprice instead of it's actual value. This will allow users to take out huge amounts of bad debt and bankrupt the protocol.
Example: TokenA has a minprice of $1. The price of TokenA drops to $0.10. The aggregator still returns $1 allowing the user to borrow against TokenA as if it is $1 which is 10x it's actual value.
Impact
In the event that an asset crashes (i.e. LUNA) the protocol can be manipulated and will affect the price seriously.
Jaraxxus
medium
ChainlinkOracle will return the wrong price for asset if underlying aggregator hits minAnswer
Summary
Chainlink aggregators have a built in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will continue to return the minprice instead of the actual price of the asset. This would allow user to continue borrowing with the asset but at the wrong price. This is exactly what happened to Venus on BSC when LUNA imploded.
Vulnerability Detail
ChainlinkOracle uses ChainlinkRegistry to obtain the price of the requested tokens.
ChainlinkRegistry.latestRounddata pulls the associated aggregator and requests round data from it. ChainlinkRegistry have minprice and maxPrice circuit breakers built into them. This means that if the price of the asset drops below the minprice, the protocol will continue to value the token at minprice instead of it's actual value. This will allow users to take out huge amounts of bad debt and bankrupt the protocol.
Example: TokenA has a minprice of $1. The price of TokenA drops to $0.10. The aggregator still returns $1 allowing the user to borrow against TokenA as if it is $1 which is 10x it's actual value.
Impact
In the event that an asset crashes (i.e. LUNA) the protocol can be manipulated and will affect the price seriously.
Code Snippet
https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial-oracle/contracts/ChainlinkOracle.sol#L59-L75
Tool used
Manual Review
Recommendation
ChainlinkRegistry should check the returned answer against the minprice/maxPrice and revert if the answer is outside of the bounds:
Duplicate of #180