Low Risk
https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L218
Calls to Oracles could potentially revert, which may result in a complete Denial-of-Service to smart contracts which depend upon them. Chainlink multisigs can immediately block access to price feeds at will, so just because a price feed is working today does not mean it will continue to do so indefinitely.
In below code snippet we can see function distributeAssets()
calls the chainlink's V3 aggregator to fetch the price of the assets in the USD.
if (asset.amount > 0) {
(,int256 assetPriceUsd,,,) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();
uint256 _portion = asset.amount * _positionStake / stakeTotal;
As we know while currently there’s no whitelisting mechanism to allow or disallow contracts from reading prices, powerful multisigs can tighten these access controls. In other words, the multisigs can immediately block access to price feeds at will. Then distributeAssets()
function will cause DOS with different errors.
If multisig block the access to fetch the price of specific assets which creates the DOS.
Manual View
Use try and catch statement to handle the error while fetching the Price feeds.
try AggregatorV3Interface(priceFeedAddress).latestRoundData() returns (
uint80, // roundID
int256 price, // price
uint256, // startedAt
uint256, // timestamp
uint80 // answeredInRound
) {
return price;
} catch Error(string memory) {
// handle failure here:
// revert, call propietary fallback oracle, fetch from another 3rd-party oracle, etc.
}
https://blog.openzeppelin.com/secure-smart-contract-guidelines-the-dangers-of-price-oracles
After considering with the protocol team and Codehawks internal team, based on the information provided in the contest page about chainlink prices expected to be accurate and the price calculator contract being out of scope. Considering this all chainlink price validation issues as known issue