c4-judge
commented
10 months ago fatherGoose1 marked the issue as duplicate of #479
Closed c4-judge closed 10 months ago
c4-judge
commented
10 months ago fatherGoose1 marked the issue as duplicate of #479
c4-judge
commented
10 months ago fatherGoose1 marked the issue as satisfactory
c4-judge
commented
10 months ago This auto-generated issue was withdrawn by fatherGoose1
Judge has assessed an item in Issue #840 as 2 risk. The relevant finding follows:
[L-5] No decimal normalization in price feeds Chainlink feeds simply returns the price without checking for any decimal discrepancy.
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L37-L39
37: function getAssetPrice(address asset) external view onlySupportedAsset(asset) returns (uint256) { 38: return AggregatorInterface(assetPriceFeed[asset]).latestAnswer(); 39: } In the case price feeds used by supported assets don’t match in their decimals, the error will be carried forward during the calculation of the RSETH price in getRSETHPrice(), as numbers with different precision will be aggregated together.
Currently, feeds for all supported assets (stETH, cbETH and rETH) have 18 decimals, but caution must be taken if other assets are added.