Chainlink's latestAnswer() might return 0 if no answer could be reached. The code is not checking for that, which is dangerous as it is used to calculate pricing between pairs. In the worst case, this could affect the exchange rate and result in fund loss for the protocol.
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/oracles/ChainlinkPriceOracle.sol#L38
Vulnerability details
Impact
Chainlink's
latestAnswer()
might return 0 if no answer could be reached. The code is not checking for that, which is dangerous as it is used to calculate pricing between pairs. In the worst case, this could affect the exchange rate and result in fund loss for the protocol.Proof of Concept
https://github.com/code-423n4/2021-06-tracer-findings/issues/145
Tools Used
Manual review.
Recommended Mitigation Steps
Check for the returned price or better yet, use latestRoundData instead.
Assessed type
Oracle