c4-pre-sort
commented
11 months ago raymondfam marked the issue as sufficient quality report
Closed c4-submissions closed 11 months ago
c4-pre-sort
commented
11 months ago raymondfam marked the issue as sufficient quality report
c4-pre-sort
commented
11 months ago raymondfam marked the issue as duplicate of #32
c4-pre-sort
commented
11 months ago raymondfam marked the issue as not a duplicate
c4-pre-sort
commented
11 months ago raymondfam marked the issue as duplicate of #843
c4-judge
commented
11 months ago fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/oracles/ChainlinkPriceOracle.sol#L38
Vulnerability details
Impact
In multiple places, pricing is retrieved from the Price Oracle but they never check if the prices are stale. If the returned pricing data is stale, the code will execute with prices that don’t reflect the current pricing resulting in a potential loss of funds for the user and/or the protocol.
Proof of Concept
https://github.com/code-423n4/2023-11-kelp/blob/main/src/oracles/ChainlinkPriceOracle.sol#L38 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTOracle.sol#L46
Tools Used
Recommended Mitigation Steps
Use latestRoundData and check the return value for when was the price last updated and reject those that are too old.
Assessed type
Oracle