c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L37-L39

Vulnerability details

Impact

getAssetPrice() in ChainlinkPriceOracle.sol doesn't check for stale price

Proof of Concept

getAssetPrice() in ChainlinkPriceOracle directly calls the latestAnswer() and doesn't perform any check if the price obtained is outdated.

function getAssetPrice(address asset) external view onlySupportedAsset(asset) returns (uint256) {
    return AggregatorInterface(assetPriceFeed[asset]).latestAnswer();
}

This can cause a stale price is used and affect the minting of rsETH.

Tools Used

Manual Review

Recommended Mitigation Steps

Check if the price from Chainlink if stale

Assessed type

Other

c4-pre-sort commented 11 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #32

c4-pre-sort commented 11 months ago

raymondfam marked the issue as not a duplicate

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #843

c4-judge commented 10 months ago

fatherGoose1 marked the issue as unsatisfactory: Invalid

code-423n4 / 2023-11-kelp-findings

getAssetPrice() in ChainlinkPriceOracle.sol doesn't check for stale price #477

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type