Closed sherlock-admin3 closed 5 months ago
3 comment(s) were left on this issue during the judging contest.
z3s commented:
Low; ETH from msg.sender is intended.
z3s commented:
From README msg.sender paying ETH is the intention.
takarez commented:
medium(1)
As per the README - the ETH is supposed to come from the msg.sender. Since the keeper fees returned in DSU are compensating the committer for paying the ETH/other fees (including gas) required to commit the price we determined the right behavior is to send the DSU to the msg.sender not the account.
blackhole
medium
_commitPrice doesn't work on user's behalf as expected if the msg.sender is an operator.
Summary
The operator role is limited to only being able to send multiinvoker transactions for the user on user's behalf via the
invoke(account, actions)
function However, for the COMMIT_PRICE action case, the operator is not sending the transaction on user's behalf.Vulnerability Detail
The operator can invoke the COMMIT_PRICE action on behalf of the user.
In this case
msg.sender
is an operator andaccount
is the user._commitPrice
function doesn't haveaccount
parameter for transferring the keeper fee. And it doesn't have the code for receiving the ETH value from the user.https://github.com/sherlock-audit/2024-05-kwenta-x-perennial-integration-update/blob/main/perennial-v2/packages/perennial-extensions/contracts/MultiInvoker.sol#L346~L362
Impact
When the operator invokes the
_commitPrice
function on the user's behalf, thevalue
ETH should come from the user, and the DSU fee should also be transferred to the user.Code Snippet
_commitPrice function https://github.com/sherlock-audit/2024-05-kwenta-x-perennial-integration-update/blob/main/perennial-v2/packages/perennial-extensions/contracts/MultiInvoker.sol#L346~L362
Tool used
Manual Review
Recommendation
It's recommended to disable the
_commitPrice
function if it's an operator or implement the code to transfer the DSU fee to the user and receive the ETH from the user.