search

code-423n4 / 2023-11-kelp-findings

13 stars 11 forks source link

Lacking Validation Of Chainlink’ Oracle Queries in ChainlinkPriceOracle #691

Closed c4-submissions closed 11 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/4b34abc952205e2a34bff893a0de0c75b8052149/src/oracles/ChainlinkPriceOracle.sol#L38

Vulnerability details

Impact

In the ChainlinkPriceOracle contract, relying solely on the latestAnswer function poses a potential problem as it lacks the capability to verify crucial aspects of query validity. Issues such as stale data, invalid prices, or incomplete rounds cannot be adequately addressed, highlighting the need for enhanced query validation mechanisms within the Chainlink smart contract.

Tools Used

manual review

Recommended Mitigation Steps

Consider validating the output of latestRoundData() to match the following code snippet:

     (
        uint80 roundID,
        int256 price,
        ,
        uint256 updateTime,
        uint80 answeredInRound
      ) =  AggregatorInterface(assetPriceFeed[asset]).latestRoundData();
      require(
          answeredInRound >= roundID,
          "Chainlink Price Stale"
      );
      require(price > 0, "Chainlink Malfunction");
      require(updateTime != 0, "Incomplete round");

Assessed type

Invalid Validation

c4-pre-sort commented 11 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #34

c4-judge commented 10 months ago

fatherGoose1 marked the issue as unsatisfactory: Invalid