Platform: Code4rena
Start Date: 24/07/2023
Pot Size: $100,000 USDC
Total HM: 18
Participants: 73
Period: 7 days
Judge: alcueca
Total Solo HM: 8
Id: 267
League: ETH
Rank: 31/73
Findings: 2
Award: $149.29
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xkazim
Also found by: Auditwolf, BRONZEDISC, Hama, MohammedRizwan, R-Nemes, dacian, kodyvim, markus_ether, nadin, niki, okolicodes
104.4113 USDC - $104.41
Detailed description of the impact of this finding.
Chainlink aggregators have a built in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will continue to return the minPrice instead of the actual price of the asset. This would allow user to continue borrowing with the asset but at the wrong price. This is exactly what happened to Venus on BSC when LUNA imploded.
manual
Oracle
#0 - 0xSorryNotSorry
2023-08-01T11:13:15Z
The implementation does not set a min/max value by design. Also Chainlink does not return min/max price as per the AggregatorV3 docs HERE contrary to the reported below;
ChainlinkAggregators have minPrice and maxPrice circuit breakers built into them.
Further proof required as per the context.
#1 - c4-pre-sort
2023-08-01T11:13:18Z
0xSorryNotSorry marked the issue as low quality report
#2 - c4-judge
2023-08-14T22:19:36Z
alcueca marked the issue as duplicate of #340
#3 - c4-judge
2023-08-14T22:19:40Z
alcueca marked the issue as satisfactory
🌟 Selected for report: immeas
Also found by: 0x70C9, 0xAnah, 0xArcturus, 0xComfyCat, 0xWaitress, 0xackermann, 0xkazim, 2997ms, 33audits, Arz, Aymen0909, ChrisTina, JP_Courses, John_Femi, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Nyx, Rolezn, Sathish9098, Stormreckson, T1MOH, Tendency, Topmark, Udsen, Vagner, albertwh1te, ast3ros, banpaleo5, berlin-101, catellatech, cats, codetilda, cryptonue, eeshenggoh, fatherOfBlocks, hals, jamshed, jaraxxus, josephdara, kankodu, kodyvim, kutugu, lanrebayode77, mert_eren, nadin, naman1778, niki, petrichor, ravikiranweb3, said, solsaver, souilos, twcctop, wahedtalash77
44.8793 USDC - $44.88
#0 - c4-judge
2023-08-12T18:20:10Z
alcueca marked the issue as grade-a
#1 - ElliotFriedman
2023-08-15T17:38:27Z
"Is not a good practice to have a underline function(e.g. _mint) that is external." this is the compound function naming convention for admin functions, so this is out of scope
"In ChainlinkOracle event PricePosted has requestPriceMantissa and newpriceMantissa that are always going to be equal. You can remove one of them for gas efficiency" is valid
#2 - c4-sponsor
2023-08-15T17:38:33Z
ElliotFriedman marked the issue as sponsor confirmed