Skip to content
This repository has been archived by the owner on Jun 30, 2024. It is now read-only.

ZanyBonzy - D3Oracle will use the wrong price if the Chainlink returns price outside normal range #23

Closed
sherlock-admin opened this issue Dec 30, 2023 · 1 comment
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Dec 30, 2023

ZanyBonzy

medium

D3Oracle will use the wrong price if the Chainlink returns price outside normal range

Summary

ChainlinkAggregators have minPrice and maxPrice circuit breakers built into them. This means that if the price of the asset drops below the minPrice, the protocol will continue to value the token at minPrice instead of it's actual value and the other way round. This will allow users to take out huge amounts of bad debt.

Vulnerability Detail

The getPriceFromFeed function should check for the min and max amount return to prevent cases like LUNA in which the Oracle will return the minimum price and not the crashed price. This would allow user to executes transactions with the asset but at the wrong price. This is exactly what happened to Venus on BSC when LUNA imploded.

Impact

In an event of extreme asset colatility, the price gotten will be the wrong and not actual price.

Code Snippet

https://github.com/sherlock-audit/2023-12-dodo/blob/ea7f786161113144562a900dbff31457ff7025ef/dodo-v3/contracts/DODOV3MM/periphery/D3Oracle.sol#L115C4-L124C6

    function getPriceFromFeed(address token) internal view returns (uint256) {
        checkSequencerActive();
        require(priceSources[token].isWhitelisted, "INVALID_TOKEN");
        AggregatorV3Interface priceFeed = AggregatorV3Interface(priceSources[token].oracle);
        (uint80 roundID, int256 price,, uint256 updatedAt, uint80 answeredInRound) = priceFeed.latestRoundData();
        require(price > 0, "Chainlink: Incorrect Price");
        require(block.timestamp - updatedAt < priceSources[token].heartBeat, "Chainlink: Stale Price");
        require(answeredInRound >= roundID, "Chainlink: Stale Price");
        return uint256(price);
    }

Tool used

Manual Code Review

Recommendation

Some check like this can be added to avoid returning of the min price or the max price in case of the price crashes.

          require(price < _maxPrice, "Upper price bound");
          require(price > _minPrice, "Lower price bound");
@github-actions github-actions bot closed this as completed Jan 2, 2024
@github-actions github-actions bot added Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Excluded Excluded by the judge without consulting the protocol or the senior labels Jan 2, 2024
@nevillehuang
Copy link
Collaborator

Invalid, min/max check is deprecated, infact the minimum price DODO is willing to accept is as long as price is greater than zero as seen in this check. This is also a previously known won't fix issue as seen here

@sherlock-admin sherlock-admin changed the title Narrow Ivory Mole - D3Oracle will use the wrong price if the Chainlink returns price outside normal range ZanyBonzy - D3Oracle will use the wrong price if the Chainlink returns price outside normal range Jan 10, 2024
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Jan 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout
Projects
None yet
Development

No branches or pull requests

2 participants