Category: Coding Mistakes
The fallback oracle returns zero price when no price information is provided
High Severity
Medium Impact
Low Likelihood
Description
If the oracle does not have price information for the requested asset, the price information in the fallback oracle is used:
function getAssetPrice(address asset) public view override returns (uint256) {
if (asset == BASE_CURRENCY) {
return BASE_CURRENCY_UNIT;
} else {
int256 price = _adapter.currentPrice(asset);
if (price > 0) {
return uint256(price);
} else {
return _fallbackOracle.getAssetPrice(asset);
}
}
}
Following is the source code of the getAssetPrice
of PalmyFallbackOracle, the fallback oracle contract:
function getAssetPrice(address asset) external view override returns (uint256) {
return uint256(_prices[asset].price);
}
This function returns zero if the fallback oracle has no price information of the asset. As a result, the asset is priced at zero.
Impact
Because the asset is priced at zero, the asset can be borrowed without enough collateral. This leads to the loss of funds for the particular asset.
Recommendations
Consider checking if the fallback oracle has the price information of the asset when the protocol fetches it.
Remediation
This issue has been acknowledged by Familia Labs Ltd., and a fix was implemented in commit 06d174bd↗.