Closed c4-submissions closed 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #32
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as not a duplicate
raymondfam marked the issue as duplicate of #34
fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L37-L39 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L109-L109
Vulnerability details
Impact
LatestAnswer
can return a Value of0
when the expected price is not available, this is also stated by Chianlink like so "This does not error if no answer has been reached, it will simply return 0."Proof of Concept
The code
Does not validate that the return value of latestAnswer is not above zero, as this is a possible return value by the oracle when the price has not been reached for any reason necessary.
In instances when this is not validated against it produces an invalid price and prices assets wrongly.
Tools Used
Manual
Recommended Mitigation Steps
Validate that the chainlink Returned price is greater than zero. Alternatively consider using the more updated
LatestRoundData
function.Assessed type
Oracle