search

sherlock-audit / 2023-07-perennial-judging

2 stars 1 forks source link

minhtrng - Lack of staleness check in Kept #166

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

minhtrng

medium

Lack of staleness check in Kept

Summary

Lack of staleness check in Kept.

Vulnerability Detail

There is no staleness check in Kept._etherprice:

    (, int256 answer, , ,) = ethTokenOracleFeed().latestRoundData();
    return UFixed18Lib.from(Fixed18Lib.ratio(answer, 1e8)); // chainlink eth-usd feed uses 8 decimals

common issue, example submission for reference

Impact

wrong ether price used when paying keepers

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/main/root/contracts/attribute/Kept.sol#L62-L63

Tool used

Manual Review

Recommendation

Read the updatedAt parameter from the calls to latestRoundData() and verify that it isn't older than a threshold.

Duplicate of #159

sherlock-admin commented 1 year ago

2 comment(s) were left on this issue during the judging contest.

141345 commented:

d

n33k commented:

unhandled stale price returned from latestRoundData()