tmotfl - DebitaChainlink.getPrice returns incorrect price during flash crashes

[sherlock-admin2]

tmotfl

Medium

DebitaChainlink.getPrice returns incorrect price during flash crashes

Summary

Chainlink price feeds have in-built minimum & maximum prices they will return; if during a flash crash, bridge compromise, or depegging event, an asset’s value falls below the price feed’s minimum price, the oracle price feed will continue to report the (now incorrect) minimum price.

Root Cause

https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/1465ba6884c4cc44f7fc28e51f792db346ab1e33/Debita-V3-Contracts/contracts/oracles/DebitaChainlink.sol#L30

    function getThePrice(address tokenAddress) public view returns (int) {
        // falta hacer un chequeo para las l2
        address _priceFeed = priceFeeds[tokenAddress];
        require(!isPaused, "Contract is paused");
        require(_priceFeed != address(0), "Price feed not set");
        AggregatorV3Interface priceFeed = AggregatorV3Interface(_priceFeed);

        // if sequencer is set, check if it's up
        // if it's down, revert
        if (address(sequencerUptimeFeed) != address(0)) {
            checkSequencer();
        }
        (, int price, , , ) = priceFeed.latestRoundData();

        require(isFeedAvailable[_priceFeed], "Price feed not available");
        require(price > 0, "Invalid price");
        return price;
    }

Note there is only a check for price to be non-negative, and not within an acceptable range.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

The wrong price may be returned in the event of a market crash. An adversary will then be able to borrow against the wrong price and incur bad debt to the protocol.

PoC

No response

Mitigation

require(price >= minPrice && price <= maxPrice, "invalid price");