Closed c4-submissions closed 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #32
raymondfam marked the issue as not a duplicate
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #34
fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/oracles/ChainlinkPriceOracle.sol#L38
Vulnerability details
Impact
Chainlink's documentation indicates that the
latestAnswer
function is deprecated. This function lacks reversion if no answer is obtained, instead returning 0. Additionally, the reportedlatestAnswer
varies with 18 decimals for some token quotes and 8 decimals for others. It is recommended to dynamically retrieve decimals from oracles rather than hard-coding them in the contract.Proof of Concept
https://github.com/code-423n4/2023-11-kelp/blob/main/src/oracles/ChainlinkPriceOracle.sol#L38 Chainlink Price Feeds API Reference
Deprecated AggregatorInterface API Reference
Tools Used
Manual Review
Recommended Mitigation Steps
Utilize the
latestRoundData
function to retrieve prices. Implement checks on the return data with revert messages if the price is stale. E.g:Add timestamp check to avoid staleness
Add a buffer to avoid excessive price changes like for e.g:
Assessed type
Oracle