c4-pre-sort
commented
11 months ago raymondfam marked the issue as insufficient quality report
Closed c4-submissions closed 11 months ago
c4-pre-sort
commented
11 months ago raymondfam marked the issue as insufficient quality report
c4-pre-sort
commented
11 months ago raymondfam marked the issue as duplicate of #34
c4-judge
commented
10 months ago fatherGoose1 marked the issue as unsatisfactory: Invalid
c4-judge
commented
10 months ago fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/oracles/ChainlinkPriceOracle.sol#L34-L39
Vulnerability details
Impact
Protocol uses a deprecated implementation of Chainlink's price feed
Proof of Concept
The function getAssetPrice uses latestanswer which is a deprecated implementation of Chainlink's price feed as per the official documentation.
This can result in incorrect price feeds due to latest answer not able to properly verify answers. For example, returning 0 instead of false if there is no answer. In addition, there is also no check on whether the price is stale or valid, which can compromise the soundness of the protocol.
Tools Used
Manual Review
Recommended Mitigation Steps
Use the latestrounddata instead of latestanswer as per the documentation
https://docs.chain.link/data-feeds/api-reference
Assessed type
Oracle