search

sherlock-audit / 2023-07-perennial-judging

2 stars 1 forks source link

okolicodes - Chainlink Oracle will return the wrong price if the Chainlink aggregator returns price outside min/max range #109

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

okolicodes

medium

Chainlink Oracle will return the wrong price if the Chainlink aggregator returns price outside min/max range

Summary

Chainlink aggregators have a built in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will continue to return the minPrice instead of the actual price of the asset. This would allow user to continue borrowing with the asset but at the wrong price. This is exactly what happened to Venus on BSC when LUNA imploded. In its current form, the getUnderlyingPrice() function within the Oracle.sol contract retrieves the latest round data from Chainlink, if the asset's market price plummets below minAnswer or skyrockets above maxAnswer, the returned price will still be minAnswer or maxAnswer, respectively, rather than the actual market price. This could potentially lead to an exploitation scenario where the protocol interacts with the asset using incorrect price information.

Vulnerability Detail

Chainlink oracles have a min and a max price that they return. If the price goes below the minimum price, the oracle will not return the correct price but only the min price. Same goes for the other extremetity. The wrong price may be returned in the event of a market crash. Take a look at the function below https://github.com/sherlock-audit/2023-07-perennial/blob/main/root/contracts/attribute/Kept.sol#L61C2-L65C2

Impact

Present price of TokenA is $10TokenA has a minimum price set at $1 on chainlink. The actual price of TokenA dips to $0.10The aggregator continues to report $1 as the price. Consequently, users can interact with protocol using TokenA as though it were still valued at $1, which is a tenfold overestimate of its real market value.

The potential for misuse arises when the actual price of an asset drastically changes but the oracle continues to operate using the minAnswer or maxAnswer as the asset's price. In the case of it going under the minAnswer malicious actors obviously have the upperhand and could give their potential going to zero worth tokens to protocol

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/main/root/contracts/attribute/Kept.sol#L61C2-L65C2

Tool used

Manual Review

Recommendation

Check the latest answer against reasonable limits and/or revert in case you get a bad price https://docs.chain.link/data-feeds#check-the-latest-answer-against-reasonable-limits

require(price >= minAnswer && price <= maxAnswer, "invalid price");

and/or revert in case you get a bad price

Duplicate of #151

sherlock-admin commented 1 year ago

1 comment(s) were left on this issue during the judging contest.

141345 commented:

d