ChainLink's latestAnswer is deprecated

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/main/src/oracles/ChainlinkPriceOracle.sol#L38

Vulnerability details

Impact

Chainlink's documentation indicates that the latestAnswer function is deprecated. This function lacks reversion if no answer is obtained, instead returning 0. Additionally, the reported latestAnswer varies with 18 decimals for some token quotes and 8 decimals for others. It is recommended to dynamically retrieve decimals from oracles rather than hard-coding them in the contract.

Proof of Concept

https://github.com/code-423n4/2023-11-kelp/blob/main/src/oracles/ChainlinkPriceOracle.sol#L38 Chainlink Price Feeds API Reference
Deprecated AggregatorInterface API Reference

Tools Used

Manual Review

Recommended Mitigation Steps

• Utilize the latestRoundData function to retrieve prices. Implement checks on the return data with revert messages if the price is stale. E.g:

  
  (uint80 roundID, int256 price, , uint256 timeStamp, uint80 answeredInRound) = oracle.latestRoundData();
  require(answeredInRound >= roundID, "Stale price data");

• Add timestamp check to avoid staleness

• Add a buffer to avoid excessive price changes like for e.g:

  require(price - lastPrice <= buffer, "");

Assessed type

Oracle

[c4-pre-sort]

raymondfam marked the issue as sufficient quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #32

[c4-pre-sort]

raymondfam marked the issue as not a duplicate

[c4-pre-sort]

raymondfam marked the issue as insufficient quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #34

[c4-judge]

fatherGoose1 marked the issue as unsatisfactory: Invalid