Closed c4-submissions closed 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #32
raymondfam marked the issue as not a duplicate
raymondfam marked the issue as duplicate of #843
fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/oracles/ChainlinkPriceOracle.sol#L34-L39 https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/LRTDepositPool.sol#L116-L144 https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/LRTDepositPool.sol#L146-L157 https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/LRTDepositPool.sol#L91-L110
Vulnerability details
Impact
Oracle price feeds can become stale due to a variety of reasons. Using a stale price will result in incorrect calculations in the amount of rsETH to mint.
Proof of Concept
When users deposit assets in the
LRTDepositPool
the calculation ofrsethAmountToMint
can have wrong values because it uses outdated oracle prices, which results in receiving too much or less rsETH for the user.rsethAmountToMint = (amount * lrtOracle.getAssetPrice(asset)) / lrtOracle.getRSETHPrice();
Tools Used
Manual Review
Recommended Mitigation Steps
latestAnswer()
is deprecated, use latestRoundData() instead a add a clear threshold when the prices should be updated (ex. each 2 minutes).From Chainlink documentation
Assessed type
Oracle