Closed c4-submissions closed 11 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #34
fatherGoose1 marked the issue as unsatisfactory: Invalid
fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/oracles/ChainlinkPriceOracle.sol#L34-L39
Vulnerability details
Impact
Protocol uses a deprecated implementation of Chainlink's price feed
Proof of Concept
The function getAssetPrice uses latestanswer which is a deprecated implementation of Chainlink's price feed as per the official documentation.
This can result in incorrect price feeds due to latest answer not able to properly verify answers. For example, returning 0 instead of false if there is no answer. In addition, there is also no check on whether the price is stale or valid, which can compromise the soundness of the protocol.
Tools Used
Manual Review
Recommended Mitigation Steps
Use the latestrounddata instead of latestanswer as per the documentation
https://docs.chain.link/data-feeds/api-reference
Assessed type
Oracle