search

code-423n4 / 2023-11-kelp-findings

13 stars 11 forks source link

Chainlink oracle uses deprecated function #822

Closed c4-submissions closed 11 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L38

Vulnerability details

Summary

Prices from Chainlink are fetched using a deprecated function.

Impact

The ChainlinkPriceOracle contract is used to interface with Chainlink price feeds to obtain the prices for the different LST assets used in the protocol.

The implementation is using the function latestAnswer() which is deprecated and should not be used anymore.

latestAnswer
⚠️ THIS FUNCTION IS DEPRECATED. DO NOT USE THIS FUNCTION.

Proof of Concept

The implementation of getAssetPrice() is using the deprecated function:

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L37-L39

37:     function getAssetPrice(address asset) external view onlySupportedAsset(asset) returns (uint256) {
38:         return AggregatorInterface(assetPriceFeed[asset]).latestAnswer();
39:     }

Recommendation

Switch to latestRoundData().

Assessed type

Oracle

c4-pre-sort commented 11 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #34

c4-judge commented 10 months ago

fatherGoose1 marked the issue as unsatisfactory: Invalid