c4-pre-sort
commented
11 months ago raymondfam marked the issue as sufficient quality report
Closed c4-submissions closed 11 months ago
c4-pre-sort
commented
11 months ago raymondfam marked the issue as sufficient quality report
c4-pre-sort
commented
11 months ago raymondfam marked the issue as duplicate of #32
c4-pre-sort
commented
11 months ago raymondfam marked the issue as not a duplicate
c4-pre-sort
commented
11 months ago raymondfam marked the issue as duplicate of #609
c4-judge
commented
10 months ago fatherGoose1 marked the issue as unsatisfactory: Invalid
c4-judge
commented
10 months ago fatherGoose1 marked the issue as duplicate of #584
c4-judge
commented
10 months ago fatherGoose1 marked the issue as satisfactory
c4-judge
commented
10 months ago fatherGoose1 changed the severity to 3 (High Risk)
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/oracles/ChainlinkPriceOracle.sol#L38 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTOracle.sol#L52-L79
Vulnerability details
Impact
The price provided by the Chainlink oracle may be stale, which can affect the price of RSETH.
Proof of Concept
ChainlinkPriceOracle.getAssetPriceis used to obtain the price of LST.This is used in
getRSETHPriceto calculate the price of RSETH.According to the chainlink docs, the RETH/ETH price feed has a heartbeat of 86400s and a deviation of 2%.
Also, cbETH has a heartbeat of 86400s and a deviation of 1%.
This means that for a maximum of 2% price fluctuation, there will be no updates for 24 hours.
A 2% range in peg tokens is quite significant and can create arbitrage opportunities for RSETH, negatively impacting its price.
Similar issue:
https://github.com/sherlock-audit/2023-03-olympus-judging/issues/2
Tools Used
VS Code
Recommended Mitigation Steps
Since there is no usd price feed for rETH, cbETH, it is recommended to use a different price feed like the Pyth network or custom price feed.
Assessed type
Oracle