Deprecated oracle function latestAnswer() could bring fund loss

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/main/src/oracles/ChainlinkPriceOracle.sol#L38

Vulnerability details

Impact

The function ChainlinkPriceOracle.getAssetPrice() is used to return important values used throughout the contract, the staleness of the Chainlink return values will lead to wrong calculation of the asset and other unexpected behavior.

Proof of Concept

The function ChainlinkPriceOracle.getAssetPrice() uses Chainlink's deprecated latestAnswer function (https://docs.chain.link/data-feeds/api-reference/), this function also does not guarantee that the price returned by the Chainlink price feed is not stale and there is no additional checks to ensure that the return values are valid.

    function getAssetPrice(address asset) external view onlySupportedAsset(asset) returns (uint256) {
        return AggregatorInterface(assetPriceFeed[asset]).latestAnswer();
    }

Tools Used

Vscode

Recommended Mitigation Steps

The latestRoundData function should be used instead of the deprecated latestAnswer function and add sufficient checks to ensure that the pricefeed is not stale.

(uint80 roundId, int256 assetChainlinkPriceInt, , uint256 updatedAt, uint80 answeredInRound) = IPrice(_chainlinkFeed).latestRoundData();
            require(answeredInRound >= roundId, "price is stale");
            require(updatedAt > 0, "round is incomplete");

Assessed type

Oracle

[c4-pre-sort]

raymondfam marked the issue as insufficient quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #34

[c4-pre-sort]

raymondfam marked the issue as sufficient quality report

[c4-pre-sort]

raymondfam marked the issue as not a duplicate

[c4-pre-sort]

raymondfam marked the issue as duplicate of #843

[c4-judge]

fatherGoose1 marked the issue as unsatisfactory:
Invalid