Kept.sol: Keeper could be rewarded with wrong amount of token because of stale eth price
Summary
Keeper is incentivized with a keeper fee to commit oracle updates. The keeper fee is calculated based on the gas value, which is determined by eth price. The eth price is queryed from chainlink but price staleness is not checked. Keeper will be rewarded with wrong amount of token because of stale eth price.
Vulnerability Detail
The keeperFee is calculated and rewarded during oracle update. It could be wrong because of the stale eth price returned from _etherPrice(). Keeper could get a wrong fee because of stale price.
n33k
high
Kept.sol: Keeper could be rewarded with wrong amount of token because of stale eth price
Summary
Keeper is incentivized with a keeper fee to commit oracle updates. The keeper fee is calculated based on the gas value, which is determined by eth price. The eth price is queryed from chainlink but price staleness is not checked. Keeper will be rewarded with wrong amount of token because of stale eth price.
Vulnerability Detail
The
keeperFee
is calculated and rewarded during oracle update. It could be wrong because of the stale eth price returned from_etherPrice()
. Keeper could get a wrong fee because of stale price.Impact
The protocol loses tokens to keeper or keeper loses tokens to the protocol.
If the keeper is profiting, he can repeatedly commit oracle updates to drawn the keeper fee reserves.
Code Snippet
https://github.com/sherlock-audit/2023-07-perennial/blob/main/root/contracts/attribute/Kept.sol#L62
Tool used
Manual Review
Recommendation
Should check if the price returned from
latestRoundData()
is stale.Duplicate of #159