According to the Chainlink documentation (https://docs.chain.link/data-feeds/api-reference), the latestAnswer() function has been deprecated. This function does not throw an error if no response is received, but instead returns 0, causing the wrong price to be passed.
Tools Used
Manual review
Recommended Mitigation Steps
I recommend using the latestRoundData function to get the price instead. We also recommend adding checks on the returned data with proper cancellation messages if the price is out of date or the round is not completed, for example:
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/oracles/ChainlinkPriceOracle.sol#L38
Vulnerability details
Proof of Concept
According to the Chainlink documentation (https://docs.chain.link/data-feeds/api-reference), the latestAnswer() function has been deprecated. This function does not throw an error if no response is received, but instead returns 0, causing the wrong price to be passed.
Tools Used
Manual review
Recommended Mitigation Steps
I recommend using the latestRoundData function to get the price instead. We also recommend adding checks on the returned data with proper cancellation messages if the price is out of date or the round is not completed, for example:
(uint80 roundID, int256 price, , uint256 timeStamp, uint80 answeredInRound) = oracle.latestRoundData(); require(answeredInRound >= roundID, "..."); require(timeStamp != 0, "...");
Assessed type
Oracle