medium

Lack of fallbacks for price feed oracle

Reward

Total

98.54 USDC

4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
4.21 USDC
Selected
5.90 USDC
4.21 USDC
4.21 USDC
Selected Submission

Lack of fallbacks for price feed oracle

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/d1c5501aa79320ca0aeaa73f47f0dbc88c7b77e2/src/libraries/OracleLib.sol#L26-L27

https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/d1c5501aa79320ca0aeaa73f47f0dbc88c7b77e2/src/libraries/OracleLib.sol#L30

Summary

The DSC protocol does not implement fallback solutions for price feed oracle. In case Chainlink's aggregators fail to update price data, the protocol will refuse to liquidate users' positions, leading to the protocol's disruption.

Vulnerability Details

The DSC protocol utilizes the staleCheckLatestRoundData() for querying price data of collateral tokens through Chainlink's price feed aggregators. Nonetheless, if Chainlink's aggregators fail to update the price data, the DSC protocol will not be able to operate. In other words, the function will revert transactions since the received price data become stale.

    function staleCheckLatestRoundData(AggregatorV3Interface priceFeed)
        public
        view
        returns (uint80, int256, uint256, uint256, uint80)
    {
@>      (uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound) =
@>          priceFeed.latestRoundData();

        uint256 secondsSince = block.timestamp - updatedAt;
@>      if (secondsSince > TIMEOUT) revert OracleLib__StalePrice();

        return (roundId, answer, startedAt, updatedAt, answeredInRound);
    }

Impact

Without fallback solutions, the DSC protocol will be unable to operate if Chainlink's aggregators fail to update price data.

Consider the scenario that Chainlink's aggregators fail to update price data and collateral tokens' prices dramatically go down, the DSC protocol will refuse to liquidate users' positions. Consequently, the protocol will become insolvent eventually, leading to the protocol's disruption.

Tools Used

Manual Review

Recommendations

I recommend implementing fallback solutions, such as using other off-chain oracle providers and/or on-chain Uniswap's TWAP, for feeding price data in case Chainlink's aggregators fail.