Skip to content
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.

Ch_301 - Trigger de-peg event may not be possible at a time when the protocol needs #372

Closed
sherlock-admin opened this issue Mar 27, 2023 · 4 comments
Closed

Ch_301 - Trigger de-peg event may not be possible at a time when the protocol needs #372

sherlock-admin opened this issue Mar 27, 2023 · 4 comments
Labels
Escalation Resolved This issue's escalations have been approved/rejected Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Mar 27, 2023
edited by hrishibhat
Loading

Ch_301

medium

Trigger de-peg event may not be possible at a time when the protocol needs

Summary

Based on the current implementation, when the protocol wants to use Chainlink oracle data feed for getting the token's price
In certain exceptional scenarios, oracles may become unavailable or the value of tokens can plummet to zero. In such situations, , no one can trigger the de-pegging event (all calls will revert)

Vulnerability Detail

To trigger de-peg event you need to invoke triggerDepeg() which is get the price from getLatestPrice()
If a token's oracle goes down or the price falls to zero

        if (price <= 0) revert OraclePriceZero();

call will revert

Impact

trigger de-peg event may not be possible at a time when the protocol needs them most. As a result, the users who buy the insurance will receive nothing, when they should.

Code Snippet

Tool used

Manual Review

Recommendation

Make sure that there is a protective measure implemented to prevent this potential situation.
@github-actions github-actions bot closed this as completed Apr 3, 2023
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Apr 3, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Apr 11, 2023
@pauliax
Copy link

pauliax commented Apr 11, 2023
edited
Loading

Escalate for 10 USDC.

This has nothing to do with #435. I think this issue should be invalid because the price and other validations are recommended by Chainlink. Otherwise, this would create a precedent to pick these low-hanging fruits every time: if the protocol has validations, Watsons can suggest dropping them, if it does not validate, then suggest implementing validations (e.g. #154).

@sherlock-admin
Copy link
Contributor Author

sherlock-admin commented Apr 11, 2023
edited
Loading

Escalate for 10 USDC.

This has nothing to do with #435. I think this issue should be invalid because the price and other validations are recommended by Chainlink. Otherwise, this would create a precedent to pick these low-hanging fruits every time: if the protocol has validations, Watsons can suggest dropping them, if it does not validate, then suggest implementing validations (e.g. #154).

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@sherlock-admin sherlock-admin added the Escalated This issue contains a pending escalation label Apr 11, 2023
@hrishibhat
Copy link

Escalation accepted

Not a duplicate of #435
Not a valid medium issue on its own as pointed out by the escalation.
Considering this informational.

@sherlock-admin
Copy link
Contributor Author

Escalation accepted

Not a duplicate of #435
Not a valid medium issue on its own as pointed out by the escalation.
Considering this informational.

This issue's escalations have been accepted!

Contestants' payouts and scores will be updated according to the changes made on this issue.

@sherlock-admin sherlock-admin added Escalation Resolved This issue's escalations have been approved/rejected and removed Escalated This issue contains a pending escalation labels Apr 26, 2023
@hrishibhat hrishibhat removed the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Apr 26, 2023
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue Reward A payout will be made for this issue labels Apr 28, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Escalation Resolved This issue's escalations have been approved/rejected Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hrishibhat @pauliax @sherlock-admin