035.md

Slow Ruby Zebra

Medium

MasterPriceOracle doesn't validate minAnswer/maxAnswer price when price is fetched from Chainlink

Summary

According to the readme the protocol will be deployed to Optimism. And as can be seen in the _price() function, when price is fetched on Optimism (chainId 10 belongs to Optimism), Chainlink push oracles will be utilised:

    function _price(
        address underlying
    ) internal view returns (uint128, uint128) {
        ...
          else if (block.chainid == 10) {
            AggregatorV3Interface oracle = AggregatorV3Interface(oracles[underlying]);

            // Get the eth price
            (, int256 price_, , , ) = oracle.latestRoundData();
            // If the token is ETH
            if (underlying == assetAddress[IBorrowing.AssetName.ETH]) {
                // Return Exchange rate as 1 and ETH price with 2 decimals
                return (1 ether, uint128((uint256(price_) / 1e6)));
            } else {
                (, uint128 ethPrice) = _price(assetAddress[IBorrowing.AssetName.ETH]);
                // Return Exchange rate and ETH price with 2 decimals
                return (uint128(uint256(price_)), ethPrice);
            }
        } else {
            return (0, 0);
        }
    }

Most of the data feeds on Optimism still return minAnswer/maxNaswer. For example:

• The ETH/USD data feed aggregator contract, the returned minAnswer is 1000000000

Root Cause

Missing minAnswer/maxAnswer check in the _price() function.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

If a scenario similar to the LUNA crash happens again, for example the ETH/USD pair will be returning prices that are bigger than the actual price.

PoC

No response

Mitigation

No response