search

sherlock-audit / 2023-07-perennial-judging

2 stars 1 forks source link

OxZ00mer - Lack of update check for ETH/USD oracle allows the for use of outdated prices #172

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

OxZ00mer

medium

Lack of update check for ETH/USD oracle allows the for use of outdated prices

Summary

The lack of a check for the oracle data age for the keeper fee calculation can lead to fund loss for the protocol or the keeper.

Vulnerability Detail

The price oracle integration of the ETH/USD feed doesn't check for when the price feed was last updated, thus allowing old prices to be used in calculating keeper fees.

Impact

In the case that the data from the price feed is not up-to-date anymore either the keeper or the protocol will lose funds in the form of a lower or higher keeper fee than supposed to.

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/main/root/contracts/attribute/Kept.sol#L62

// @audit the function's updatedAt output value doesn't get checked for age.
(, int256 answer, , ,) = ethTokenOracleFeed().latestRoundData();

Tool used

Manual Review

Recommendation

Consider checking for whether the publish time of the prices is within appropriate staleness bounds similar to in this place in the protocol: https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-oracle/contracts/pyth/PythOracle.sol#L148-L151

Duplicate of #159

sherlock-admin commented 1 year ago

2 comment(s) were left on this issue during the judging contest.

141345 commented:

d

n33k commented:

unhandled stale price returned from latestRoundData()