Furry Rusty Monkey
Medium
The protocol uses Chainlink AggregatorV3Interface for mainnet interactions.
Chainlink Oracle doesn't validate for minAnswer/maxAnswer
Current implementation of Chainlink Oracle _price doesn't validate for the minAnswer/maxAnswer values
(, int256 price_, , , ) = oracle.latestRoundData();Chainlink still has feeds that uses the min/maxAnswer to limit the range of values and hence in case of a price crash, incorrect price will be used to value the assets allowing user's to exploit this incorrectness by depositing the overvalued asset and borrowing against it.
In the event of a flash crash, user's lenders will loose their assets
Manual review
Consider checking if the price returned is not outside the aggregator’s minAnswer/maxAnswer bounds and revert if it is.