Chainlink aggregators return the incorrect price if it drops below minAnswer

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-10-SteadeFi/blob/main/contracts/oracles/ChainlinkARBOracle.sol#L188

Summary

Chainlink aggregators have a built in circuit breaker if the price of an asset goes outside of a predetermined price band. The result is that if an asset experiences a huge drop in value (i.e. LUNA crash) the price of the oracle will continue to return the minAnswer instead of the actual price of the asset.

Vulnerability Details

Chainlink's latestRoundData pulls the associated aggregator and requests round data from it. ChainlinkAggregators have minAnswer and maxAnswer circuit breakers built into them. This means that if the price of the asset drops below the minAnswer, the protocol will continue to value the token at minAnswer instead of it's actual value. This will result in the asset being priced incorrectly, allowing exploitation such as undercollateralized loans or unfair liquidations.

Impact

This discrepency could cause major issues within the protocol and potentially lead to loss of funds. This is exactly what happened to Venus on BSC when LUNA imploded.

Tools Used

Manual review

Recommendations

Add a check that reverts if the price received from the oracle is out of bounds, as is recommended in Chainlink's documentation.