search

code-423n4 / 2023-11-kelp-findings

13 stars 11 forks source link

Lack fallback for price feed Oracle leads to errors or zero prices #326

Open c4-submissions opened 10 months ago

c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L37 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L109

Vulnerability details

Impact

Lack fallback for price feed Oracle leads to errors or zero prices puts protocol at risk and unexpected and undesirable behaviour

Proof of Concept

    function getAssetPrice(address asset) external view onlySupportedAsset(asset) returns (uint256) {
        return AggregatorInterface(assetPriceFeed[asset]).latestAnswer();
    }

The asset price only relies on the Chainlink Oracle which can be down, or provide wrong answers if minAnswer or maxAnswer reached or return 0 price if no answer reached. This implies users cant exchange tokens or exchange tokens at unfair rates or can mint zero rsETH

Tools Used

Manual Analysis, Past Reports

Recommended Mitigation Steps

Make use of backup like Uniswap TWAP as prices for the assets in system like stETH are available. Therefore fallback prices can be used in the case of challenges with Chainlink prices

Assessed type

Other

c4-pre-sort commented 10 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 10 months ago

raymondfam marked the issue as duplicate of #32

c4-pre-sort commented 10 months ago

raymondfam marked the issue as not a duplicate

c4-pre-sort commented 10 months ago

raymondfam marked the issue as duplicate of #194

c4-pre-sort commented 10 months ago

raymondfam marked the issue as duplicate of #723

c4-judge commented 9 months ago

fatherGoose1 changed the severity to QA (Quality Assurance)

c4-judge commented 9 months ago

fatherGoose1 marked the issue as grade-b