c4-pre-sort
commented
11 months ago raymondfam marked the issue as sufficient quality report
Closed c4-submissions closed 11 months ago
c4-pre-sort
commented
11 months ago raymondfam marked the issue as sufficient quality report
c4-pre-sort
commented
11 months ago raymondfam marked the issue as duplicate of #32
c4-pre-sort
commented
11 months ago raymondfam marked the issue as duplicate of #468
c4-judge
commented
10 months ago fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L37-L39
Vulnerability details
Impact
Chainlink oracles aggregator contain both minimum and maximum price/answers, this are possible values that the oracle can return. This means when the price agreed upon by the nodes is below the minimum, the minimum will be returned, same applies to the maximum.
Proof of Concept
The Three Assets with strategies all have the following min and max answers
stEth Min : 1000000000000000 Max : 100000000000000000000
cbEth Max : 95780971304118053647396689196894323976171195136475135 Min: 1
rEth Max: 95780971304118053647396689196894323976171195136475135 Min: 1
Tools Used
Manual
Recommended Mitigation Steps
Validate return prices against minimum and max, when value matches, kelp should respond as it would to an invalid answer.
Assessed type
Oracle