sherlock-audit / 2023-07-perennial-judging

2 stars 1 forks source link

WATCHPUG - `PythOracle#commitRequested()` extra ETH should be refunded. #157

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

WATCHPUG

medium

PythOracle#commitRequested() extra ETH should be refunded.

Summary

Vulnerability Detail

The amount of the update fee (pyth.getUpdateFee(updateDataList)) may have changed during the time the transaction was sent and it gets minted. When it decreases, there will be a surplus of ETH remaining in the contract.

Over time, it can accumulate and one can take advantage of this and send no ETH but use the balance on the contract to post an Oracle update and claim the keeper fee.

Impact

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-oracle/contracts/pyth/PythOracle.sol#L184-L196

https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-oracle/contracts/pyth/PythOracle.sol#L124-L157\

Tool used

Manual Review

Recommendation

Refund msg.value - pyth.getUpdateFee(updateDataList) if any.

Duplicate of #53

sherlock-admin commented 1 year ago

2 comment(s) were left on this issue during the judging contest.

141345 commented:

d

panprog commented:

low (invalid) because it's user error