Proxy - D3Oracle will return the wrong price if the Chainlink aggregator returns price outside min/max range

[sherlock-admin]

Proxy

medium

D3Oracle will return the wrong price if the Chainlink aggregator returns price outside min/max range

Summary

Chainlink oracles have a min and max price that they return. If the price goes below the minimum price the oracle will not return the correct price but only the min price. Same goes for the other extremity.

Vulnerability Detail

Both getPrice() and getOriginalPrice() only check price > 0 not are they within the correct range

(uint80 roundID, int256 price,, uint256 updatedAt, uint80 answeredInRound) = priceFeed.latestRoundData();
require(price > 0, "Chainlink: Incorrect Price");
require(block.timestamp - updatedAt < priceSources[token].heartBeat, "Chainlink: Stale Price");
require(answeredInRound >= roundID, "Chainlink: Stale Price");

Impact

The wrong price may be returned in the event of a market crash.
The functions with the issue are used in D3VaultFunding.sol, D3VaultLiquidation.sol and D3UserQuota.sol

Code Snippet

• D3Oracle.sol functions:
  • getPrice()
  • getOriginalPrice()

Tool used

Manual Review

Recommendation

Check the latest answer against reasonable limits and/or revert in case you get a bad price

 require(price >= minAnswer && price <= maxAnswer, "invalid price");

[Attens1423]

How can we get minPrice and maxPrice from oracle contract? Could you give us a more detailed procession?

[0xffff11]

https://docs.chain.link/data-feeds#check-the-latest-answer-against-reasonable-limits @Attens1423

[Attens1423]

We understand this doc. If you could offer a code example, including how to get minPrice and maxPrice from code, we would appreciate it