deadrxsezzz
medium
Allowing for the oracle to get an asset's price based off another asset's data feed possesses a risk
When setting an asset's Chainlink aggregator, said asset can be linked to a different base/quote pair.
Allowing for an asset to be linked to a different base/quote pair opens up unnecessary risks for the protocol. I suppose the idea is for 1:1 assets (e.g. stETH and ETH) to be able to use each other's data feeds in case one goes down/ doesn't exist. However, linking two assets in such ways opens up numerous attack vectors as depegs happen.
An example : stETH is linked to ETH's Chainlink Data Feeds. stETH depegs and goes down in value. People can now buy it cheaply, deposit it in IronBank and use it with an inflated value, taking what really are undercollateralized loans, draining money from the project.
In case an asset is linked to another asset's data feeds and one depegs, IronBank will be drained.
Manual Review
Do not link any asset to another asset's data feeds.