low

A bad price can be delivered in ChainlinkARBOracle

Contest
sponsor logo

Steadefi
Reward

Total

34.28 USDC

asimaranov
3.01 USDC
0xhals
3.01 USDC
ZedBlockchain
3.01 USDC
pina
Selected
4.21 USDC
MaanVader
3.01 USDC
Rozzo
3.01 USDC
SupaRoutis
3.01 USDC
ak1
3.01 USDC
arnie
3.01 USDC
nervouspika
3.01 USDC
ZanyBonzy
3.01 USDC
Selected Submission

A bad price can be delivered in ChainlinkARBOracle

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/oracles/ChainlinkARBOracle.sol#L119

Summary

When the consultIn18Decimals() is called, can be returned a negative value. Because not exist correct validation for negative response.

Vulnerability Details

The ChainlinkARBOracle.sol has to garantie delivered correct price. Howerver exist a potencial scenario of this situation may be breaking.

Lets break each one part of this scenario:

  1. When consultIn18Decimals() is called, and call to consult() this function is encharge of verifie each answer and delivere a price not old, not zero,non-negative and garantie of sequencer is up.
  2. Posible scenario in consult() for the moment, we have: chainlinkResponse.answer = x where x > 0 prevChainlinkResponse.answer = y where y < 0 This is a negative value given by Chainlink
  3. _chainlinkIsFrozen() is pass correctly
  4. _chainlinkIsBroken(chainlinkResponse, prevChainlinkResponse, token) evaluate the following functions:
    • _badChainlinkResponse(currentResponse) pass correctly.
    • _badChainlinkResponse(prevResponse) pass also correctly because is only check if the value is zero, but not negative see : if (response.answer == 0) { return true; }
    • _badPriceDeviation(currentResponse, prevResponse, token): if( currentResponse.answer > prevResponse.answer) remember currentResponse.answer = x where x > 0 and prevResponse.answer = y where y < 0 So. x > y . This condition is passed successfully..
  5. For the evaluation of _deviation we have: _deviation = uint256(currentResponse.answer - prevResponse.answer) * SAFE_MULTIPLIER / uint256(prevResponse.answer); The result will always return zero. So validation on _badPriceDeviationof_deviation > maxDeviations[token]always returnsfalsebecause zero can never be greater for any number ofmaxDeviations[token]since it only accepts numbers of typeuint256 `

POC :

This scenario is illustrated in a minimalist example, which you can use in Remix:

// SPDX-License-Identifier: UNLICENSED
pragma solidity 0.8.21;

import { SafeCast } from "@openzeppelin/contracts/utils/math/SafeCast.sol";

error BrokenTokenPriceFeed();

contract PassWithNegativePrice {

    using SafeCast for int256;

    uint256 public maxDeviations;
    int256 public currentResponse;
    int256 public prevResponse;
    uint8 public decimal;
    
    constructor(int256 _currentResponse, int256 _prevResponse, uint8 _decimal,uint256 _maxDeviation )  {
        currentResponse = _currentResponse; //  _currentResponse > 0 e.g. 2000, 3, 90000000000000
        prevResponse = _prevResponse; // _prevResponse < 0  e.g. -3000, -1 
        decimal = _decimal; // _decimal can be 8, 18
        maxDeviations = _maxDeviation; // any value
    } 
    
    // You call this function,  result is currentResponse but doesn't matter  maxDeviations value
    function consultIn18Decimals() external view  returns (uint256) {
    
        (int256 _answer, uint8 _decimals) =  consult();

        return _answer.toUint256() * 1e18 / (10 ** _decimals);
    }

    function consult() internal view  returns (int256, uint8) { 

        if (_badPriceDeviation(currentResponse, prevResponse) )revert  BrokenTokenPriceFeed();

        return (currentResponse, decimal);
    }

    function _badPriceDeviation(int256 _currentResponse, int256 _prevResponse ) internal view returns (bool) {
    // Check for a deviation that is too large
        uint256 _deviation;

        if (_currentResponse > _prevResponse) { // Here is our scene, always result be zero with negative value of _prevResponse
        _deviation = uint256(_currentResponse - _prevResponse) * 1e18 / uint256(_prevResponse);
        } else {
        _deviation = uint256(_prevResponse - _currentResponse) * 1e18 / uint256(_prevResponse);
        }

        return _deviation > maxDeviations;
    }


}

Impact

High, the base protocol is how you get the price of the securities. The answer may be different than what is allowed. Because the maximum deviations will not be counted.

Tools Used

  • Manual code review
  • Remix

Recommendations

This behavior can be mitigated by setting the correct conditional:

if (response.answer <= 0) { return true; }

Also,due of only consultIn18Decimals() is the function that is called for the protocol. Visibility to "consult" may be restricted. Change from "public" to "internal".