Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

maushish - Risk of Incorrect Asset Pricing by Datafeed in Case of Underlying Aggregator Reaching minAnswer. #49

Closed
sherlock-admin3 opened this issue May 31, 2024 · 8 comments
Closed

maushish - Risk of Incorrect Asset Pricing by Datafeed in Case of Underlying Aggregator Reaching minAnswer. #49

sherlock-admin3 opened this issue May 31, 2024 · 8 comments
Labels
Escalation Resolved This issue's escalations have been approved/rejected Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented May 31, 2024
edited
Loading

maushish

medium

Risk of Incorrect Asset Pricing by Datafeed in Case of Underlying Aggregator Reaching minAnswer.

Summary

Chainlink aggregators have a built-in circuit breaker to prevent the price of an asset from deviating outside a predefined price range. This circuit breaker may cause the oracle to persistently return the minPrice instead of the actual asset price in the event of a significant price drop, as witnessed during the LUNA crash.

Vulnerability Detail

DataFeed.sol uses AggregatorV3Interface as underlying aggregator for pulling data feed of EUR/USD.

AggregatorV3Interface {
  function decimals() external view returns (uint8);

  function description() external view returns (string memory);

  function version() external view returns (uint256);

  function getRoundData(uint80 _roundId)
    external
    view
    returns (
      uint80 roundId,
      int256 answer,
      uint256 startedAt,
      uint256 updatedAt,
      uint80 answeredInRound
    );

  function latestRoundData()
    external
    view
    returns (
      uint80 roundId,
      int256 answer,
      uint256 startedAt,
      uint256 updatedAt,
      uint80 answeredInRound
    );
}

latestRoundData extracts the linked aggregator and requests round data from it. If an asset's price falls below the minPrice, the protocol continues to value the token at the minPrice rather than its real value.This discrepancy could have the protocol end up minting drastically larger amount of mTBILLs.

Note

This happens due to Datafeed only checking for negative amounts and not for min/maxPrice.

Tip

Similar finding: sherlock-audit/2023-02-blueberry-judging#18

Impact

In the event of an asset crash (like LUNA), the protocol can be manipulated to handle calls at an inflated price.

Code Snippet

https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/feeds/DataFeed.sol#L72
https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/DepositVault.sol#L106

Tool used

Manual Review

Recommendation

It can be easily mitigated by introducing a check for minPrice and maxPrice
@github-actions github-actions bot closed this as completed Jun 3, 2024
@github-actions github-actions bot added Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Excluded Excluded by the judge without consulting the protocol or the senior labels Jun 3, 2024
@github-actions github-actions bot mentioned this issue Jun 3, 2024
Closed
@sherlock-admin3 sherlock-admin3 changed the title Acrobatic Eggplant Shell - Risk of Incorrect Asset Pricing by Datafeed in Case of Underlying Aggregator Reaching minAnswer. maushish - Risk of Incorrect Asset Pricing by Datafeed in Case of Underlying Aggregator Reaching minAnswer. Jun 7, 2024
@sherlock-admin3 sherlock-admin3 added Non-Reward This issue will not receive a payout and removed Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Jun 7, 2024
@blutorque
Copy link

blutorque commented Jun 7, 2024
edited
Loading

Escalate

I think why this has been considered invalid, its due to the reason finding #110 has mentioned the two different issues 1) chainlink circuit breaker check, 2) longer refresh rate(which this report mention also) under the same submission. However, those are two different issues, and should be considered different n valid.

Also it can be seen, previously in blueberry contest they are judge as two,
sherlock-audit/2023-02-blueberry-judging#94
sherlock-audit/2023-02-blueberry-judging#18

@sherlock-admin3
Copy link
Contributor Author

sherlock-admin3 commented Jun 7, 2024
edited by sherlock-admin4
Loading

Escalate

I think why this has been considered invalid, its due to the reason finding #110 has mentioned the two different issues 1) chainlink circuit breaker check, 2) longer refresh rate(which this report mention also) under the same submission. However, those are two different issues, and should be considered different n valid.

Also it can be seen, previously in blueberry contest they are judge as two,
sherlock-audit/2023-02-blueberry-judging#94
sherlock-audit/2023-02-blueberry-judging#18

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@sherlock-admin4 sherlock-admin4 added the Escalated This issue contains a pending escalation label Jun 7, 2024
@maushish maushish mentioned this issue Jun 9, 2024
Closed
@WangSecurity
Copy link

Indeed, #110 should be 2 families instead of 1, will return here when the 2 families will be set correctly.

@WangSecurity WangSecurity mentioned this issue Jun 13, 2024
Closed
@WangSecurity
Copy link

Planning to accept the escalation and will duplicate with #110.

@blutorque
Copy link

Planning to accept the escalation and will duplicate with #110.

along with #110 and #49, there are also #172, #94, #64, #53, #142 belongs to 2nd family

@WangSecurity
Copy link

UPD: if #110 is in the end invalid, this escalation will be rejected cause it doesn't effect the reward distribution.

@WangSecurity
Copy link

WangSecurity commented Jun 18, 2024
edited
Loading

Result:
Invalid
Has duplicates

@sherlock-admin2
Copy link

sherlock-admin2 commented Jun 18, 2024
edited
Loading

Escalations have been resolved successfully!

Escalation status:

@sherlock-admin3 sherlock-admin3 removed the Escalated This issue contains a pending escalation label Jun 18, 2024
@sherlock-admin4 sherlock-admin4 added the Escalation Resolved This issue's escalations have been approved/rejected label Jun 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Escalation Resolved This issue's escalations have been approved/rejected Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@blutorque @WangSecurity @sherlock-admin2 @sherlock-admin3 @sherlock-admin4