Chainlink oracle will return the wrong price if the aggregator hits minAnswer or maxAnswer

Summary

There is no check for price from latestRoundData() being with min and max bounds

Vulnerability Detail

Chainlink aggregators have an built-in circuit breaker if the price of an asset goes outside of a predetermined price band. Therefore for example if an asset experiences a huge drop in value e. g a crash the price of the oracle will continue to return the minPrice instead of the actual price of the asset and vice versa.

https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/4f01e065c1ed346875cf5b05d2b43e0bcdb4c849/rio-sherlock-audit/contracts/oracle/ChainlinkPriceFeed.sol#L34

Impact

This implies wrong prices will be used in protocol calculations and implementations. If minPrice is being returned in crash it implies prices used in feed are higher than true prices. If maxPrice is being returned in price spikes it means lower prices than true prices are being used in the protocol

Code Snippet

/// @notice Get the current price.
    function getPrice() external view returns (uint256) {
        (, int256 price,, uint256 updatedAt,) = IChainlinkAggregatorV3(source).latestRoundData();
        if (block.timestamp > updatedAt + stalePriceDelay) revert STALE_PRICE();
        if (price <= 0) revert BAD_PRICE();

        return uint256(price);
    }

In returning price there is no check for bounds within minAnswer or maxAnswer

Tool used

Manual Review

Recommendation

Include the following checks

// minPrice check
require(price > minPrice, "Min price exceeded");
// maxPrice check
require(price < maxPrice, "Max price exceeded");

Duplicate of #7

sherlock-audit / 2024-02-rio-network-core-protocol-judging

MatricksDeCoder - Chainlink oracle will return the wrong price if the aggregator hits minAnswer or maxAnswer #343