search

sherlock-audit / 2023-07-perennial-judging

2 stars 1 forks source link

minhtrng - Eth oracle feed not updateable in Kept #164

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

minhtrng

medium

Eth oracle feed not updateable in Kept

Summary

The ETH oracle feed used in kept is not changeable. If it ever gets shutdown, prices used for keeper fees will diverge from market price and can cause over-/underpayment.

Vulnerability Detail

In Kept the _ethTokenOracleFeed is set once, during initialization and can not be changed by owner after that:

function __UKept__initialize(
    AggregatorV3Interface ethTokenOracleFeed_,
    Token18 keeperToken_
) internal onlyInitializer {
    _ethTokenOracleFeed.store(address(ethTokenOracleFeed_));

If this feed gets stale or gets shutdown, the price read in etherPrice (used to determine keeper reward) will diverge from the actual market price.

Impact

Over-/underpayment due to stale and not updateable oracle.

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/c2f6141c231d3952898ea47793872cac69a1d2af/root/contracts/attribute/Kept.sol#L27

Tool used

Manual Review

Recommendation

Allow owner to change the oracle

sherlock-admin commented 1 year ago

1 comment(s) were left on this issue during the judging contest.

141345 commented:

l