Closed c4-submissions closed 11 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #34
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as not a duplicate
raymondfam marked the issue as duplicate of #215
fatherGoose1 marked the issue as unsatisfactory: Invalid
fatherGoose1 changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/oracles/ChainlinkPriceOracle.sol#L37-L39 https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/LRTDepositPool.sol#L109 https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/LRTOracle.sol#L46 https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/LRTOracle.sol#L68
Vulnerability details
Summary
The usage of the
latestAnswer
function from the Chainlink library has been deprecated according to Chainlink’s documentation. This function, if no response is available, does not throw an error but returns a value of 0.The
getAssetPrice()
function calls the deprecated latestAnswer function, potentially resulting in incorrect price data for various feeds or leading to a division by zero and possibly a Denial of Service vulnerability.Impact
The affected functions, are
getRsETHAmountToMint()
andgetRSETHPrice()
. In getRsETHAmountToMint(), if getAssetPrice() returns 0:If
getRSETHPrice()
also returns 0, it leads to a Denial of Service due to division by zero.If
getRSETHPrice()
does not return 0, rsethAmountToMint becomes zero, meaning the user receives no share despite depositing an asset.Tools Used
Manual review
Recommendations
To mitigate this risk, it is advisable to transition from using latestAnswer to latestRoundData. Additionally, incorporate checks on the return data and add error handling if the price is outdated or the round is incomplete:
Assessed type
Oracle