Closed c4-submissions closed 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #32
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as not a duplicate
raymondfam marked the issue as duplicate of #375
fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L45 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L38
Vulnerability details
Vulnerability details
Bug Description
The chainlink data feed function latestAnswer() returns a int valuetype. This is because price can sometimes be negative hence the need to have it as as signed value. see here. But the kelp dao integration of chainlink expects chainlink's
latestAnswer()
to always return a uint type value.This wrong intergration will cause:
getAssetPrice()
in LRTOracle.col and ChainlinkPriceOracle.sol to return false underflowed values if chainlink reports negative price valuescause
getRSETHPrice()
to report wrong underflowed values that are close to the type(uint256).max value or even cause reverts in the calculation iftotalAssetAmt * assetER > type(uint256).max
.cause wrong amounts of RsETH to be minted to users when they deposit via
depositAsset()
cause
getRsETHAmountToMint()
function to return very large uint value or cause revert ifamount * lrtOracle.getAssetPrice(asset)) > type(uint256).max
.https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L37C1-L39C6
If negative int value is returned by chainlink's
latestAnswer()
,getAssetPrice()
will return a false/very large uint value due to underflow.the function getAssetPrice() in
LRTOracle.sol
is used to get asset prices and is also used bygetRSETHPrice()
to calculate the price of RsETH. In the event that chainlink price is -0.998e18 for example ,getAssetPrice()
inLRTOracle.sol
will return the price as ~type(uint).max - 0.998e18
due to underflow. This will cause calculations to result to exteremly large values or even unexpected reverts ingetRSETHPrice()
iftotalAssetAmt * assetER > type(uint256).max
. Snippet of affectedgetRSETHPrice()
calculation below.https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L66C1-L71C55
Impact
Due to the incorrect integration of chainlink, in some market conditions where chainlink data feed contracts return a negative integer value, the value returned by
getAssetPrice()
in LRTOracle.sol will be close to type(uint).max due to uint underflow. This value will be inaccurate.This wrong intergration will cause:
getAssetPrice()
in LRTOracle.col and ChainlinkPriceOracle.sol to return false underflowed values if chainlink reports negative price valuescause
getRSETHPrice()
to report wrong underflowed values that are close to the type(uint256).max value or even cause reverts in the calculation iftotalAssetAmt * assetER > type(uint256).max
.cause wrong amounts of RsETH to be minted to users when they deposit via
depositAsset()
cause
getRsETHAmountToMint()
function to return very large uint value or cause revert ifamount * lrtOracle.getAssetPrice(asset)) > type(uint256).max
.Tools Used
manual review
Recommended Mitigation Steps
1.) in the interface and functions directly calling the chainlink
latestAnswer()
, change the returned type to int2.) in the function
getRSETHPrice()
, modify logic to make assetpriceassetER
to be zero 0 if the price gotten from chainlink is negative.Assessed type
Oracle