Nadin - `PythOracle.sol#commitRequested()` does not work properly due to data parameter mismatch.

[sherlock-admin]

Nadin

medium

PythOracle.sol#commitRequested() does not work properly due to data parameter mismatch.

Summary

When PythOracle.sol#commitRequested() is reached and modifier keep() is called, "" is passed as an argument, then passed into the function _raiseKeeperFee() as the data argument. As a result, it will lead to function does not work properly.

Vulnerability Detail

• Take a look at PythOracle.sol#commitRequested(), "" is passed as a data in modifier keep() : here

  File: PythOracle.sol
  function commitRequested(uint256 versionIndex, bytes calldata updateData)
      public
      payable
      keep(KEEPER_REWARD_PREMIUM, KEEPER_BUFFER, updateData, "") //@audit "" is passed rather than data
  {
  ---SNIP---

• Then take a look at modifier keep(), "" is passed as a data into function _raiseKeeperFee() : here

  File: Kept.sol
  44:    modifier keep(UFixed18 multiplier, uint256 buffer, bytes memory dynamicCalldata, bytes memory data) {
  ---SNIP---
  56:        _raiseKeeperFee(keeperFee, data); // @audit data is ""

• Take a look at function _raiseKeeperFee() : here

  441:    function _raiseKeeperFee(UFixed18 keeperFee, bytes memory data) internal override {
  442:        (address account, address market, UFixed6 fee) = abi.decode(data, (address, address, UFixed6)); // @audit data is ""
  443:        if (keeperFee.gt(UFixed18Lib.from(fee))) revert MultiInvokerMaxFeeExceededError();
  ---SNIP---

• At L442, abi.decode with "" will returns unexpected value.

  Impact

  PythOracle.sol#commitRequested() does not work properly due to data parameter mismatch. As a result, it will lead to function does not work properly.

  Code Snippet

  https://github.com/sherlock-audit/2023-09-perennial/blob/main/perennial-v2/packages/perennial-oracle/contracts/pyth/PythOracle.sol#L129C14-L133

  Tool used

Manual Review

Recommendation

• Ensure that the correct parameters are passed into modifier keep() in function PythOracle.sol#commitRequested().
• Example like function _executeOrder() does.

[sherlock-admin]

3 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid because for PythOracle keep() will call _raiseKeeperFee which is in PythOracle, not in MultiInvoker, and in PythOracle _raiseKeeperFee ignores data

n33k commented:

invalid, the data is passed to PythOracle::_raiseKeeperFee, not MultiInvoker::_raiseKeeperFee

polarzero commented:

Invalid. The issue raised is indeed a valid concern, as it is important to explicitly handle unexpected behavior; however, this does not seem to qualify either as a medium or high severity vulnerability.