Using the deprecated Chainlink function latestAnswer #573
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-34
insufficient quality report
This report is not of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
c4-submissions
added
2 (Med Risk)
|
raymondfam marked the issue as insufficient quality report |
c4-pre-sort
added
the
insufficient quality report
|
raymondfam marked the issue as duplicate of #34 |
|
fatherGoose1 marked the issue as unsatisfactory: |
c4-judge
added
the
unsatisfactory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/oracles/ChainlinkPriceOracle.sol#L38
Vulnerability details
Proof of Concept
According to the Chainlink documentation (https://docs.chain.link/data-feeds/api-reference), the latestAnswer() function has been deprecated. This function does not throw an error if no response is received, but instead returns 0, causing the wrong price to be passed.
Tools Used
Manual review
Recommended Mitigation Steps
I recommend using the latestRoundData function to get the price instead. We also recommend adding checks on the returned data with proper cancellation messages if the price is out of date or the round is not completed, for example:
(uint80 roundID, int256 price, , uint256 timeStamp, uint80 answeredInRound) = oracle.latestRoundData();
require(answeredInRound >= roundID, "...");
require(timeStamp != 0, "...");
Assessed type
Oracle
The text was updated successfully, but these errors were encountered: