search

code-423n4 / 2023-11-kelp-findings

13 stars 11 forks source link

`ChainlinkPriceOracle.getAssetPrice` lacks of decimal check. #561

Closed c4-submissions closed 11 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L37-L39

Vulnerability details

Impact

In ChainlinkPriceOracle.getAssetPrice, the function assumes all price feed's decimal is equal, and this might be true for stETH/rETH/cbETH, but according to LRTConfig.addNewSupportedAsset and ChainlinkPriceOracle.updatePriceFeedFor, the protocol might add new asset in feature, in such case, the assumption might not hold true.

Proof of Concept

ChainlinkPriceOracle.getAssetPrice is defined as:

    function getAssetPrice(address asset) external view onlySupportedAsset(asset) returns (uint256) {
        return AggregatorInterface(assetPriceFeed[asset]).latestAnswer();
    }

Tools Used

VIM

Recommended Mitigation Steps

Assessed type

Decimal

c4-pre-sort commented 11 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #97

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #479

c4-judge commented 10 months ago

fatherGoose1 marked the issue as satisfactory

c4-judge commented 10 months ago

fatherGoose1 changed the severity to QA (Quality Assurance)