Potential Risk of Incorrect Vault Liquidation Due to Stale Chainlink Price Data #100
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-69
partial-75
Incomplete articulation of vulnerability; eligible for partial credit only (75%)
🤖_41_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/a9246db5f874a91fb71c296aac6a66902289306a/src/PriceFeed.sol#L45-L58
Vulnerability details
Summary
In the protocol, determining if a vault is in danger depends on accurate price data. The system evaluates the vault's collateralization ratio to decide if immediate actions like liquidation are needed. The vulnerability stems from potential use of stale price data from Chainlink, which lacks mechanisms to ensure data freshness. This could lead to incorrect safety assessments, causing premature liquidations or missed risk mitigation opportunities, impacting user equity and protocol stability.
Impact
The impact of this vulnerability can be significant:
Incorrect Liquidations: Stale price data might incorrectly indicate that a vault's collateralization ratio has fallen below safe thresholds, triggering unnecessary liquidations.
Missed Liquidations: Conversely, if stale prices inaccurately suggest that a vault is safe when it's actually at risk, the protocol might fail to liquidate the vault, potentially leading to losses if market conditions worsen.
Proof of Concept
getsqrtPrice
function using Chainlink price feedcheckVaultIsDanger
function uses this data to check if a vault is in danger by calling theisliquidatable
functionTools Used
Manual code review
Recommended Mitigation Steps
Implement a Staleness Check for Chainlink Prices
Assessed type
Oracle
The text was updated successfully, but these errors were encountered: