Chainlink responses from price feeds are being used without any sanity checks.
The ChainlinkPriceOracle contract is used to interface with the Chainlink price feeds for the different LST assets in scope in the protocol.
The current implementation is returning the latest response available from the Chainlink feed without doing any sanity checks.
There is check for stale prices, the function doesnβt validate if the last update timestamp is within a sane range, or if itβs aligned with the feedβs heartbeat. Note that different feeds may have different heartbeats, which means this should be checked using a per feed configuration.
There is also no check for prices being within the valid limits, or for big price deviations. During flash crashes, prices may fall abruptly for short periods of time, in which case the current implementation will simply return the current prices being reported by Chainlink.
Prices from Chainlink are being returned as is, without any validation or sanity checks.
34: /// @notice Fetches Asset/ETH exchange rate
35: /// @param asset the asset for which exchange rate is required
36: /// @return assetPrice exchange rate of asset
37: function getAssetPrice(address asset) external view onlySupportedAsset(asset) returns (uint256) {
38: return AggregatorInterface(assetPriceFeed[asset]).latestAnswer();
39: }
The following article contains a good summary of the recommended checks when consuming a Chainlink price feed.
Oracle
The text was updated successfully, but these errors were encountered:
All reactions