Chainlink price feed is deprecated, not sufficiently validated and can return stale prices Which will lead to a lot of issues

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L38

Vulnerability details

Impact

This issue is not like the boy report as the bot doesn’t show means of exploitation and a proper mitigation. In ChainlinkPriceOracle.sol The function _createActionInfo() uses Chainlink's deprecated latestAnswer function, this function also does not guarantee that the price returned by the Chainlink price feed is not stale and there is no additional checks to ensure that the return values are valid. They following issues can arise.

• stale prices.
• outdated prices.
• price returned can be above or below its min and max range.

The following issues could be used to exploit/drain the protocol if an asset’s feed returns the above.

Proof of concept

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L38

function getAssetPrice(address asset) external view onlySupportedAsset(asset) returns (uint256) {
        return AggregatorInterface(assetPriceFeed[asset]).latestAnswer();
    }

Tools Used

Manual review

Recommended Mitigation Steps

Use chainlink’s latest round data and check against

• stake prices
• outdated timestamp
• min/max range

Assessed type

Invalid Validation

[c4-pre-sort]

raymondfam marked the issue as sufficient quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #32

[c4-pre-sort]

raymondfam marked the issue as not a duplicate

[c4-pre-sort]

raymondfam marked the issue as duplicate of #843

[c4-judge]

fatherGoose1 marked the issue as unsatisfactory: Invalid