berlin-101 - Answer of Chainlink oracle is not sufficently validated and can return invalid/stale price

[sherlock-admin]

berlin-101

medium

Answer of Chainlink oracle is not sufficently validated and can return invalid/stale price

Summary

Answers of the used Chainlink oracle are not sufficently validated and can return an invalid/stale price. A stale price can lead to wrong liquidations or over-borrowing.

Vulnerability Detail

In https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/oracle/PriceOracle.sol#L67 the price of an asset is retrieved from the Chainlink oracle.

But the returned results is not sufficiently validated. The only check that is done is a check for an invalid price in case the returned price is <= 0;

 require(price > 0, "invalid price");

The correctness of the returned oracle price is important as it used for multiple purposes:

1. Evaluating account liquidity to judge whether an account is liquidatable and how much is liquidatable: https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L1079, https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L827
2. Evaluating account liquidity to judge how much of an asset a user can borrow: https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L393

Invalid prices in these cases will lead to wrong account liquidations and over-borrowing.

The interface of the used lastRoundData() function of the oracle (see Chainlink docs) looks as follow (paramater naming adapted to usage in IronBank project):

function latestRoundData() external view
    returns (
        uint80 roundId,             //  The round ID.
        int256 price,              //  The price.
        uint256 startedAt,          //  Timestamp of when the round started.
        uint256 updatedAt,          //  Timestamp of when the round was updated.
        uint80 answeredInRound      //  The round ID of the round in which the answer was computed.
    )

The following additional checks are missing on the returned oracle data:

uint256 maxDelay = maxDelay[base][quote]; // <--- the project should hold information about the individual asset heartbeats
require(maxDelay > 0, "no max delay set");

require(updatedAt >= roundId, "Stale price");
require(startedAt != 0, "round not complete");

if (updatedAt < block.timestamp - maxDelayTime){
   revert("stale price");
}

Impact

Invalid assumption about an asset price results in wrong judgement of account liquidity which leads to over-borrowing or wrong liquidations.

Code Snippet

Tool used

Manual Review

Recommendation

Follow the Chainlink recommendations in regards to validating retrieved oracle data and implement the missing checks.

Duplicate of #9