Closed c4-submissions closed 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #32
raymondfam marked the issue as not a duplicate
raymondfam marked the issue as duplicate of #609
fatherGoose1 marked the issue as unsatisfactory: Invalid
fatherGoose1 marked the issue as duplicate of #584
fatherGoose1 marked the issue as satisfactory
fatherGoose1 changed the severity to 3 (High Risk)
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/oracles/ChainlinkPriceOracle.sol#L38 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTOracle.sol#L52-L79
Vulnerability details
Impact
The price provided by the Chainlink oracle may be stale, which can affect the price of RSETH.
Proof of Concept
ChainlinkPriceOracle.getAssetPrice
is used to obtain the price of LST.This is used in
getRSETHPrice
to calculate the price of RSETH.According to the chainlink docs, the RETH/ETH price feed has a heartbeat of 86400s and a deviation of 2%.
Also, cbETH has a heartbeat of 86400s and a deviation of 1%.
This means that for a maximum of 2% price fluctuation, there will be no updates for 24 hours.
A 2% range in peg tokens is quite significant and can create arbitrage opportunities for RSETH, negatively impacting its price.
Similar issue:
https://github.com/sherlock-audit/2023-03-olympus-judging/issues/2
Tools Used
VS Code
Recommended Mitigation Steps
Since there is no usd price feed for rETH, cbETH, it is recommended to use a different price feed like the Pyth network or custom price feed.
Assessed type
Oracle