Closed c4-submissions closed 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #32
raymondfam marked the issue as not a duplicate
raymondfam marked the issue as duplicate of #843
fatherGoose1 marked the issue as unsatisfactory: Invalid
Hi @fatherGoose1, @raymondfam, and @manoj9april.
I don't know why the return of stale/incorrect prices was invalidated, but I would like to provide additional info.
Here are excerpted parts from my report above:
The
ChainlinkPriceOracle::getAssetPrice()
reports price data to its callers without validating the staleness and incorrectness of the data.The price data reported by the
getAssetPrice()
will be consumed by crucial functions:LRTDepositPool::getRsETHAmountToMint()
andLRTOracle::getRSETHPrice()
.Consuming stale or incorrect prices can cause the minting of
rsETH
tokens to be incorrect.
The situations that can cause the price data to be stale or incorrect:
@serial-coder, this report provides the base level of validations for checking for oracle freshness. The bot provides a link to Chainlink's documentation which highlights the latestRoundData()
function.
There are several other submissions that highlight actual attack paths due to stale data or price discrepancies between the input assets. This current report does not match those in terms of actionable insights, and therefore will not be upgraded.
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L37-L39 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L109 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L68
Vulnerability details
The
ChainlinkPriceOracle::getAssetPrice()
reports price data to its callers without validating the staleness and incorrectness of the data.Proof of Concept
The
ChainlinkPriceOracle::getAssetPrice()
reports price data fed fromChainlink
's Price Feed Aggregators to its callers without validating the staleness and incorrectness of the data.Impact
The price data reported by the
getAssetPrice()
will be consumed by crucial functions:LRTDepositPool::getRsETHAmountToMint()
andLRTOracle::getRSETHPrice()
.Consuming stale or incorrect prices can cause the minting of
rsETH
tokens to be incorrect.Tools Used
Manual Review
Recommended Mitigation Steps
Validate the staleness and incorrectness of the fed price data as shown below.
Chainlink
'slatestAnswer()
tolatestRoundData()
to access other returned parameters for validating the price data.Assessed type
Oracle