Closed sherlock-admin3 closed 1 week ago
We believe the keeper is trustworthy.
Oracles: We use our own offline oracle mechanism, where the oracle protocol administrator is only responsible for providing the oracle price. Subsequently, we consider using Chainlink for deviation verification on-chain.
Both are TRUSTED.
Invalid, oracles price are trusted at any given point of time, additionally no impact described for issues and nothing can prevent the keepr from calling the function.
everyanykey
Medium
Frontrunning executeWithdraw call by keeper
Summary
Vulnerability Detail
executeWithdraw
at the line https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/facets/AccountFacet.sol#L48 can be frontrun by anyone who calls directly toAssetsProcess.executeWithdraw(requestId, request);
Impact
Prevents Keeprs from calling
executeWithdraw
with a special price set to oracle.Code Snippet
Tool used
Manual Review
Recommendation