c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L37-L39 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L109-L109

Vulnerability details

Impact

LatestAnswer can return a Value of 0 when the expected price is not available, this is also stated by Chianlink like so "This does not error if no answer has been reached, it will simply return 0."

Proof of Concept

The code

function getAssetPrice(address asset) external view onlySupportedAsset(asset) returns (uint256) {
    return AggregatorInterface(assetPriceFeed[asset]).latestAnswer();
}

Does not validate that the return value of latestAnswer is not above zero, as this is a possible return value by the oracle when the price has not been reached for any reason necessary.

function getRsETHAmountToMint(
    address asset,
    uint256 amount
)
    public
    view
    override
    returns (uint256 rsethAmountToMint)
{
    // setup oracle contract
    address lrtOracleAddress = lrtConfig.getContract(LRTConstants.LRT_ORACLE);
    ILRTOracle lrtOracle = ILRTOracle(lrtOracleAddress);

    // calculate rseth amount to mint based on asset amount and asset exchange rate
    rsethAmountToMint = (amount * lrtOracle.getAssetPrice(asset)) / lrtOracle.getRSETHPrice();
}

In instances when this is not validated against it produces an invalid price and prices assets wrongly.

Tools Used

Manual

Recommended Mitigation Steps

Validate that the chainlink Returned price is greater than zero. Alternatively consider using the more updated LatestRoundData function.