H-03 MitigationConfirmed

[c4-submissions]

Lines of code

Vulnerability details

Original Issue

• H-03: AfEth deposits could use price data from an invalid Chainlink response

Details

• In order to determine the price feed for ETH/CVX, Asymmetry utilizes chainlink price feed oracle which is deployed here. The afETH.price() relies on safETH.approxPrice() and vEthStrategy.price() as seen below:

  • function price() public view returns (uint256) {
    if (totalSupply() == 0) return 1e18;
    AbstractStrategy vEthStrategy = AbstractStrategy(vEthAddress);
    uint256 safEthValueInEth = (ISafEth(SAF_ETH_ADDRESS).approxPrice(true) *
        safEthBalanceMinusPending()) / 1e18;
    uint256 vEthValueInEth = (vEthStrategy.price() *
        vEthStrategy.balanceOf(address(this))) / 1e18;
    return ((vEthValueInEth + safEthValueInEth) * 1e18) / totalSupply();
    }

• Where vEthStrategy.price() allows the staleness of the price feed by simply not validating it:

  • function price() external view override returns (uint256) {
    return (cvxPerVotium() * ethPerCvx(false)) / 1e18;
    }

Mitigation

• The fix proposed is about validating the price feed to prevent any staleness.

• Fully mitigated within the following PR.

Conclusion

• LGTM

[c4-judge]

0xleastwood marked the issue as confirmed for report

[c4-judge]

0xleastwood marked the issue as satisfactory