Lines of code

Vulnerability details

Summary

Chainlink responses from price feeds are being used without any sanity checks.

Impact

The ChainlinkPriceOracle contract is used to interface with the Chainlink price feeds for the different LST assets in scope in the protocol.

The current implementation is returning the latest response available from the Chainlink feed without doing any sanity checks.

There is check for stale prices, the function doesn’t validate if the last update timestamp is within a sane range, or if it’s aligned with the feed’s heartbeat. Note that different feeds may have different heartbeats, which means this should be checked using a per feed configuration.

There is also no check for prices being within the valid limits, or for big price deviations. During flash crashes, prices may fall abruptly for short periods of time, in which case the current implementation will simply return the current prices being reported by Chainlink.

Proof of Concept

Prices from Chainlink are being returned as is, without any validation or sanity checks.

<https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L34-L39&gt;

34:     /// @notice Fetches Asset/ETH exchange rate
35:     /// @param asset the asset for which exchange rate is required
36:     /// @return assetPrice exchange rate of asset
37:     function getAssetPrice(address asset) external view onlySupportedAsset(asset) returns (uint256) {
38:         return AggregatorInterface(assetPriceFeed[asset]).latestAnswer();
39:     }

Recommendation

The following article contains a good summary of the recommended checks when consuming a Chainlink price feed.

Assessed type

Oracle

---

The text was updated successfully, but these errors were encountered:

All reactions