c4-pre-sort
commented
11 months ago raymondfam marked the issue as insufficient quality report
Closed c4-submissions closed 11 months ago
c4-pre-sort
commented
11 months ago raymondfam marked the issue as insufficient quality report
c4-pre-sort
commented
11 months ago raymondfam marked the issue as duplicate of #34
c4-judge
commented
10 months ago fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/oracles/ChainlinkPriceOracle.sol#L38
Vulnerability details
Impact
Chainlink's
latestAnswer()might return 0 if no answer could be reached. The code is not checking for that, which is dangerous as it is used to calculate pricing between pairs. In the worst case, this could affect the exchange rate and result in fund loss for the protocol.Proof of Concept
https://github.com/code-423n4/2021-06-tracer-findings/issues/145
Tools Used
Manual review.
Recommended Mitigation Steps
Check for the returned price or better yet, use latestRoundData instead.
Assessed type
Oracle