Closed c4-submissions closed 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #32
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as not a duplicate
raymondfam marked the issue as duplicate of #34
fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L37-L39 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L11-L13
Vulnerability details
Bug description
using the
latestAnswer
from chainlink Aggregator missed some sanity checks that should be added into the functiongetAssetPrice
.Impact
the
getAssetPrice
using thelatestAnswer
from chainlink Aggregator and it miss some important checks that should be added, these checks is added by thelatestRoundData
too and should be added here for thelatestAnswer
ingetAssetPrice
.Proof of Concept
the function
getAssetPrice
and theAggregatorInterface
:sanity checks should be added in the
getAssetPrice
function. this function is used in many places and its important to add these checks for it, it called in this line and this line and this line tooTools Used
manual review
similar issue
https://solodit.xyz/issues/m-15-lacking-validation-of-chainlink-oracle-queries-code4rena-vader-protocol-vader-protocol-contest-git
Recommended Mitigation Steps
add the checks for
answeredInRound
&price > 0
&updateTime != 0
:Assessed type
Other