Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In order for lending protocols to determine the price of an asset, a price oracle is used to fetch prices either on-chain or off-chain. This is known as a price oracle. In this case, Chainlink was being relied upon.

The Chainlink oracle is secure by itself. However, the integration of Chainlink to the application needs to be tested as well.

Normally, the data is fetched via the call to AggregatorInterface.latestAnswer. This is secure. But, what if this fails? If this fails, such as when the price is 0, then a fallback function is called.

This fallback function (_fallbackOracle.getAssetPrice) has zero access control; this was meant to be a test only function. If this function was called then anyone can set any price for any asset. Yikes!

If this possible to trigger? If an asset is valued at $0, then it could happen. Additionally, they use the function deprecated function latestAnswer instead of latestRoundData.

If a new asset was added as a collateral before the price feed of the asset is configured, there would be a brief moment where the fallback oracle was used, and hence manipulated. Damn... that's wild.

This service was tested by 5 different solidity expert companies. So, why did they miss it? The company only allowed audits to happen on test environments instead of an actual blockchain (test net) setup. The test code should not have been deployed, which was told to the companies doing the audits.

Overall, a super interesting finding on why end-to-end security testing must be done. Good find!