023.md

Large Orchid Seal

Medium

Oracle will return the wrong price for asset if underlying aggregator hits minAnswer

Summary

Chainlink aggregators have a built in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value the price of the oracle will continue to return the minPrice instead of the actual price of the asset. This would allow user to continue borrowing with the asset but at the wrong price.

Vulnerability Detail

Note there is only a check for price to be non-negative, and not within an acceptable range.

  function getThePrice(address tokenAddress) public view returns (int) {
        // falta hacer un chequeo para las l2
        address _priceFeed = priceFeeds[tokenAddress];
        require(!isPaused, "Contract is paused");
        require(_priceFeed != address(0), "Price feed not set");
        AggregatorV3Interface priceFeed = AggregatorV3Interface(_priceFeed);


     // rest of code
   require(price > 0, "Invalid price");

Impact

In the event that an asset crashes the protocol can be manipulated to give out loans at an inflated price.

Code Snippet

https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/oracles/DebitaChainlink.sol#L30-L47

Tool Used

Manual Review

Recommendation

Implement the proper check for each asset. It must revert in the case of bad price.

 function getThePrice(address tokenAddress) public view returns (int) {
        // falta hacer un chequeo para las l2
        address _priceFeed = priceFeeds[tokenAddress];
        require(!isPaused, "Contract is paused");
        require(_priceFeed != address(0), "Price feed not set");
        AggregatorV3Interface priceFeed = AggregatorV3Interface(_priceFeed);


     // rest of code
    require(price >= minPrice && price <= maxPrice, "invalid price"); // @audit use the proper minPrice and maxPrice for each asset
;