Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use of deprecated chainlink function #808

Closed
c4-submissions opened this issue Nov 15, 2023 · 8 comments
Closed

Use of deprecated chainlink function #808

c4-submissions opened this issue Nov 15, 2023 · 8 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-34 edited-by-warden insufficient quality report This report is not of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-submissions
Copy link
Contributor

c4-submissions commented Nov 15, 2023
edited by code4rena-admin
Loading

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/main/src/oracles/ChainlinkPriceOracle.sol#L38

Vulnerability details

Impact

When using the latestAnswer() method to fetch the latest asset price, there's a potential issue. This method lacks a mechanism to verify the timeliness of the data, crucial for ensuring accurate and reliable price information in transactions.

Proof of Concept

The ChainlinkPriceOracle contract uses the deprecated AggregatorInterface.latestAnswer() to retrieve the current price instead of the latestroundData() function recommended by Chainlink. The latestAnswer() function might return 0 if no answer is reached, which should be handled appropriately by the caller.

The recommended latestRoundData() function returns additional data which could be used to check whether the answer was reported recently enough.

If latestAnswer() returns 0 for a specific asset, users won't be able to mint rsETH and will receive 0 when withdrawing.

Note

I am aware that this issue has been included in the bot report but still reported this bug because the automated report does not explains the full impact of the finding and hence incorrectly judges it as low.
The C4 docs explicitly states that raising issues from bot reports to a higher severity is fair game, as seen here.

Tools Used

Manual review

Recommended Mitigation Steps

Short term, consider using the latestRoundData function and add checks on the return data with proper revert messages if the price is stale or the round is uncomplete.

Assessed type

Oracle
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 15, 2023
c4-submissions added a commit that referenced this issue Nov 15, 2023
@c4-submissions
btk issue #808
5df3b39
@c4-pre-sort
Copy link

raymondfam marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Nov 16, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #32

@c4-pre-sort c4-pre-sort added duplicate-32 insufficient quality report This report is not of sufficient quality and removed sufficient quality report This report is of sufficient quality labels Nov 16, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as insufficient quality report

@c4-pre-sort
Copy link

raymondfam marked the issue as not a duplicate

@c4-pre-sort c4-pre-sort reopened this Nov 17, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #34

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Dec 1, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Dec 1, 2023

fatherGoose1 marked the issue as unsatisfactory:
Invalid

@0xbtk
Copy link

0xbtk commented Dec 4, 2023

Hey @fatherGoose1, can you please explain why this is marked as invalid? As per of the C4 docs:

Wardens may use automated tools as a first pass, and build on these findings to identify High and Medium severity issues ("HM issues").

I was aware that this issue has been included in the bot report but still reported this bug because the automated report does not explains the full impact of the finding and hence incorrectly judges it as low.

Thanks for your time and consideration.

@fatherGoose1
Copy link

This report does not offer much on top of what the bot has reported. Moreover, this specific finding is widely recognized as OOS given the sheer volume of reports that reference latestAnswer().

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-34 edited-by-warden insufficient quality report This report is not of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@fatherGoose1 @c4-judge @c4-pre-sort @0xbtk @c4-submissions @code4rena-admin