Open c4-submissions opened 8 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #34
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as not a duplicate
raymondfam marked the issue as duplicate of #215
fatherGoose1 marked the issue as unsatisfactory: Invalid
fatherGoose1 changed the severity to QA (Quality Assurance)
fatherGoose1 marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L38
Vulnerability details
Impact
According to Chainlink's documentation,
lastestAnswer()
is deprecated and should no be used. Furthermore, the use of this function does not allow Kelp DAO to check the freshness of the price gotten. This function will not revert if no answer was reached by the oracle and will return 0 instead. This will affect Kelp ifLRTOracle
usesChainlinkPriceOracle
as the "PriceFetcher". If no answer is found by the oracle,getAssetPrice(asset)
will return 0. The main area of concern is withgetRSETHPrice()
function:https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L66-L79
If
assetER = 0
then the return value of thegetRSETHPrice()
function will also be 0, reverting that specific deposit inLRTDepositPool
as it is impossible to divide by 0: https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L109see: https://docs.chain.link/data-feeds/api-reference#latestanswer
Proof of Concept
Tools Used
Manual Review
Recommended Mitigation Steps
Use
latestRoundData()
function instead.Assessed type
Oracle