lack of validations in possibly deprecated oracle #34
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
insufficient quality report
This report is not of sufficient quality
primary issue
Highest quality submission among a set of duplicates
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
c4-submissions
added
2 (Med Risk)
c4-submissions
added a commit
that referenced
this issue
Nov 10, 2023
|
raymondfam marked the issue as insufficient quality report |
c4-pre-sort
added
insufficient quality report
|
raymondfam marked the issue as primary issue |
|
L-02 from the bot. |
This was referenced Nov 15, 2023
Closed
This was referenced Nov 16, 2023
Closed
Closed
|
fatherGoose1 marked the issue as unsatisfactory: |
c4-judge
added
the
unsatisfactory
|
Reported by bot. |
|
fatherGoose1 marked the issue as unsatisfactory: |
1 similar comment
|
fatherGoose1 marked the issue as unsatisfactory: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/4b34abc952205e2a34bff893a0de0c75b8052149/src/oracles/ChainlinkPriceOracle.sol#L38
Vulnerability details
Impact
https://blog.openzeppelin.com/secure-smart-contract-guidelines-the-dangers-of-price-oracles it is explained that this could generate security errors, when using
a depreciated version of the oracle. Furthermore, it is not validated that the return is != 0, this would be important since the oracle could be working incorrectly.
Recommended Mitigation Steps
Use try/catch and validate that the result of latestAnswer() is != 0.
Assessed type
Oracle
The text was updated successfully, but these errors were encountered: