Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential Risk of Incorrect Vault Liquidation Due to Stale Chainlink Price Data #100

Closed
howlbot-integration bot opened this issue Jun 17, 2024 · 1 comment
Closed

Potential Risk of Incorrect Vault Liquidation Due to Stale Chainlink Price Data #100

howlbot-integration bot opened this issue Jun 17, 2024 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-69 partial-75 Incomplete articulation of vulnerability; eligible for partial credit only (75%) 🤖_41_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@howlbot-integration
Copy link

Lines of code

https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/PriceFeed.sol#L45-L58

Vulnerability details

Summary

In the protocol, determining if a vault is in danger depends on accurate price data. The system evaluates the vault's collateralization ratio to decide if immediate actions like liquidation are needed. The vulnerability stems from potential use of stale price data from Chainlink, which lacks mechanisms to ensure data freshness. This could lead to incorrect safety assessments, causing premature liquidations or missed risk mitigation opportunities, impacting user equity and protocol stability.

Impact

The impact of this vulnerability can be significant:

  • Incorrect Liquidations: Stale price data might incorrectly indicate that a vault's collateralization ratio has fallen below safe thresholds, triggering unnecessary liquidations.

  • Missed Liquidations: Conversely, if stale prices inaccurately suggest that a vault is safe when it's actually at risk, the protocol might fail to liquidate the vault, potentially leading to losses if market conditions worsen.

Proof of Concept

  1. The getsqrtPrice function using Chainlink price feed
function getSqrtPrice() external view returns (uint256 sqrtPrice) {
        (, int256 quoteAnswer,,,) = AggregatorV3Interface(_quotePriceFeed).latestRoundData();

        IPyth.Price memory basePrice = IPyth(_pyth).getPriceNoOlderThan(_priceId, VALID_TIME_PERIOD);

        require(basePrice.expo == -8, "INVALID_EXP");

        require(quoteAnswer > 0 && basePrice.price > 0);

        uint256 price = uint256(int256(basePrice.price)) * Constants.Q96 / uint256(quoteAnswer);
        price = price * Constants.Q96 / _decimalsDiff;

        sqrtPrice = FixedPointMathLib.sqrt(price);
    }
  1. The checkVaultIsDanger function uses this data to check if a vault is in danger by calling the isliquidatable function
function checkVaultIsDanger(
        DataType.PairStatus memory pairStatus,
        DataType.Vault memory vault,
        mapping(uint256 => DataType.RebalanceFeeGrowthCache) storage rebalanceFeeGrowthCache
    ) internal view returns (uint256 sqrtOraclePrice, uint256 slippageTolerance) {
        bool isLiquidatable;
        int256 minMargin;
        int256 vaultValue;

        DataType.FeeAmount memory FeeAmount =
            PerpFee.computeUserFee(pairStatus, rebalanceFeeGrowthCache, vault.openPosition);

        (isLiquidatable, minMargin, vaultValue, sqrtOraclePrice) =
            PositionCalculator.isLiquidatable(pairStatus, vault, FeeAmount);

        if (!isLiquidatable) {
            revert IPredyPool.VaultIsNotDanger(vaultValue, minMargin);
        }

        slippageTolerance = calculateSlippageTolerance(minMargin, vaultValue, pairStatus.riskParams);
    }

Tools Used

Manual code review

Recommended Mitigation Steps

Implement a Staleness Check for Chainlink Prices

Assessed type

Oracle
@howlbot-integration howlbot-integration bot added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value 🤖_41_group AI based duplicate group recommendation bug Something isn't working duplicate-69 sufficient quality report This report is of sufficient quality labels Jun 17, 2024
howlbot-integration bot added a commit that referenced this issue Jun 17, 2024
@howlbot-integration
Sparrow issue #100
d348b84
@c4-judge
Copy link
Contributor

alex-ppg marked the issue as partial-75

@c4-judge c4-judge added the partial-75 Incomplete articulation of vulnerability; eligible for partial credit only (75%) label Jun 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-69 partial-75 Incomplete articulation of vulnerability; eligible for partial credit only (75%) 🤖_41_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@c4-judge