search

sherlock-audit / 2023-07-perennial-judging

2 stars 1 forks source link

rvierdiiev - Kept contract doesn't check ether price from feed #17

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

rvierdiiev

medium

Kept contract doesn't check ether price from feed

Summary

Kept contract doesn't check ether price from feed

Vulnerability Detail

Kept contract has keep modifier, which should calculate amount of DSU that keeper should receive for execution. I uses chainlink price feed to get price.

The problem is that function doesn't check if price is stale or invalid, it just uses it as it is. Because of that it's possible that wrong price will be used to calculate reward.

Impact

Wrong price can be used

Code Snippet

Provided above

Tool used

Manual Review

Recommendation

Check returned prices to be valid and not stale.

Duplicate of #159

sherlock-admin commented 1 year ago

3 comment(s) were left on this issue during the judging contest.

141345 commented:

d

n33k commented:

low

darkart commented:

The same as 014 no longer acepted in Sherlock as Medium + already specified by the protocol