Skip to content
This repository has been archived by the owner on Jan 7, 2024. It is now read-only.

rogue-lion-0619 - Wrong oracle price if the min / max answer is hit in chainlink #126

Closed
sherlock-admin opened this issue Jul 3, 2023 · 0 comments
Closed

rogue-lion-0619 - Wrong oracle price if the min / max answer is hit in chainlink #126

sherlock-admin opened this issue Jul 3, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jul 3, 2023
edited by github-actions bot
Loading

rogue-lion-0619

medium

Wrong oracle price if the min / max answer is hit in chainlink

Summary

Chainlink aggregators have a built in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will continue to return the minPrice instead of the actual price of the asset. This would allow user to continue borrowing with the asset but at the wrong price. This is exactly what happened to Venus on BSC when LUNA imploded.

Vulnerability Detail

ChainlinkAggregators have minPrice and maxPrice circuit breakers built into them. This means that if the price of the asset drops below the minPrice, the protocol will continue to value the token at minPrice instead of it's actual value. This is particularly important in this protocol since it is pegged to DAI because the protocol would not be using the right DAI price in those situations and users could exploit that.

Note:
Chainlink oracles are used a just one piece of the OracleAggregator system and it is assumed that using a combination of other oracles, a scenario like this can be avoided. However this is not the case because the other oracles also have their flaws that can still allow this to be exploited. In this case, the protocol is using a second oracle: a UniswapV3Oracle. But it is being used with a long TWAP (600 seconds = 10 minutes) so it gives a long timeframe to any user to exploit the price difference.

In the past, we have seen similar reports, like this: sherlock-audit/2023-02-blueberry-judging#18

Impact

In the event that an asset crashes (like happened to LUNA) the protocol functions can be exploited thanks to the wrong oracle price.

Code Snippet

The vulnerable code can be found here.

Tool used

Manual Review

Recommendation

Implement some sort of circuit breaker, so if the price goes below or above a threshold, it reverts the transaction; just as recommended by Chainlink here: https://docs.chain.link/data-feeds/selecting-data-feeds#market-failures-resulting-from-extreme-events

Duplicate of #241
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 10, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Jul 19, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin