Closed c4-submissions closed 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #32
raymondfam marked the issue as not a duplicate
raymondfam marked the issue as duplicate of #878
raymondfam marked the issue as duplicate of #723
fatherGoose1 changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L37-L39 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L109 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L68
Vulnerability details
The
ChainlinkPriceOracle::getAssetPrice()
lacks a preventive approach to handling the case of theChainlink
'slatestAnswer()
reverts, resulting in a denial of service to accessing oracle prices.Proof of Concept
The
ChainlinkPriceOracle::getAssetPrice()
makes use ofChainlink
'slatestAnswer()
to get the latest prices of LST assets (e.g.,stETH
,cbETH
,rETH
assets). The calls to thelatestAnswer()
can be reverted for several reasons, such asChainlink
's multisigs block access to price feeds, etc.However, there is no preventive approach to handling the case of the
latestAnswer()
reverts, resulting in a denial of service to accessing oracle prices.Impact
The price data reported by the
getAssetPrice()
are required by crucial functions:LRTDepositPool::getRsETHAmountToMint()
andLRTOracle::getRSETHPrice()
.The reverts of
Chainlink
'slatestAnswer()
can block access to LST assets' price, affecting the minting mechanism of thersETH
tokens and other functions.Tools Used
Manual Review
Recommended Mitigation Steps
Wrap the call to the
latestAnswer()
in a try/catch block and handle any errors appropriately—for instance, fallback toUniswap
's TWAP oracle or other off-chain oracle services such asTellor
. The fallback solution will also ensure the price data availability to the protocol.Assessed type
Oracle