c4-pre-sort
commented
11 months ago raymondfam marked the issue as insufficient quality report
Closed c4-submissions closed 11 months ago
c4-pre-sort
commented
11 months ago raymondfam marked the issue as insufficient quality report
c4-pre-sort
commented
11 months ago raymondfam marked the issue as duplicate of #34
c4-judge
commented
10 months ago fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/oracles/ChainlinkPriceOracle.sol#L38
Vulnerability details
Proof of Concept
According to the Chainlink documentation (https://docs.chain.link/data-feeds/api-reference), the latestAnswer() function has been deprecated. This function does not throw an error if no response is received, but instead returns 0, causing the wrong price to be passed.
Tools Used
Manual review
Recommended Mitigation Steps
I recommend using the latestRoundData function to get the price instead. We also recommend adding checks on the returned data with proper cancellation messages if the price is out of date or the round is not completed, for example:
(uint80 roundID, int256 price, , uint256 timeStamp, uint80 answeredInRound) = oracle.latestRoundData(); require(answeredInRound >= roundID, "..."); require(timeStamp != 0, "...");
Assessed type
Oracle