c4-judge
commented
11 months ago fatherGoose1 marked the issue as duplicate of #479
Closed c4-judge closed 11 months ago
c4-judge
commented
11 months ago fatherGoose1 marked the issue as duplicate of #479
c4-judge
commented
11 months ago fatherGoose1 marked the issue as satisfactory
c4-judge
commented
11 months ago This auto-generated issue was withdrawn by fatherGoose1
Judge has assessed an item in Issue #815 as 2 risk. The relevant finding follows:
Chainlink price feed decimals not checked The price value returned by a Chainlink price feed will have a different decimals value depending on the price feed used. While currently most ETH pairs use 18 decimals and USD pairs use 8 decimals (see the price feeds for LINK/ETH and LINK/USD for example), there is no guarantee that this will be the case for price feeds deployed in the future. If the decimals are not checked when querying a price feed, incorrect decimals may be assumed which can lead to significant accounting errors. Specifically, in LRTDepositPool#getRsETHAmountToMint, the decimals of getAssetPrice() is assumed to be exactly 18, otherwise the returned value could be far smaller than expected, leading to users being minted far fewer rsETH tokens than intended.
To access a price feeds decimals, simply call priceFeed.decimals().
https://github.com/code-423n4/2023-11-kelp/blob/main/src/oracles/ChainlinkPriceOracle.sol#L38