Skip to content
This repository has been archived by the owner on Feb 18, 2024. It is now read-only.

minhtrng - Lack of staleness check in Kept #166

Closed
sherlock-admin opened this issue Aug 15, 2023 · 1 comment
Closed

minhtrng - Lack of staleness check in Kept #166

sherlock-admin opened this issue Aug 15, 2023 · 1 comment
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Aug 15, 2023
edited by sherlock-admin2
Loading

minhtrng

medium

Lack of staleness check in Kept

Summary

Lack of staleness check in Kept.

Vulnerability Detail

There is no staleness check in Kept._etherprice:

    (, int256 answer, , ,) = ethTokenOracleFeed().latestRoundData();
    return UFixed18Lib.from(Fixed18Lib.ratio(answer, 1e8)); // chainlink eth-usd feed uses 8 decimals

common issue, example submission for reference

Impact

wrong ether price used when paying keepers

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/main/root/contracts/attribute/Kept.sol#L62-L63

Tool used

Manual Review

Recommendation

Read the updatedAt parameter from the calls to latestRoundData() and verify that it isn't older than a threshold.

Duplicate of #159
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Aug 18, 2023
@sherlock-admin
Copy link
Contributor Author

2 comment(s) were left on this issue during the judging contest.

141345 commented:

d

n33k commented:

unhandled stale price returned from latestRoundData()

@sherlock-admin2 sherlock-admin2 changed the title Itchy Licorice Stork - Lack of staleness check in Kept minhtrng - Lack of staleness check in Kept Aug 23, 2023
@sherlock-admin2 sherlock-admin2 added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Aug 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin @sherlock-admin2