solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Keep3rV2.current() call has high data freshness, but it has low security, an exploiter simply needs to manipulate 2 data points to be able to impact the feed.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: keeper-network-oracle-manipulation
    message: Keep3rV2.current() call has high data freshness, but it has low
      security,  an exploiter simply needs to manipulate 2 data points to be
      able to impact the feed.
    metadata:
      category: security
      technology:
        - solidity
      cwe: "CWE-682: Incorrect Calculation"
      confidence: HIGH
      likelihood: LOW
      impact: HIGH
      subcategory:
        - vuln
      references:
        - https://twitter.com/peckshield/status/1510232640338608131
        - https://twitter.com/FrankResearcher/status/1510239094777032713
        - https://twitter.com/larry0x/status/1510263618180464644
        - https://andrecronje.medium.com/keep3r-network-on-chain-oracle-price-feeds-3c67ed002a9
        - https://etherscan.io/address/0x210ac53b27f16e20a9aa7d16260f84693390258f
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Other
    patterns:
      - pattern: $KEEPER.current($TOKENIN, $AMOUNTIN, $TOKENOUT);
    languages:
      - solidity
    severity: WARNING

Examples

keeper-network-oracle-manipulation.sol

pragma solidity ^0.5.16;

import "./SafeMath.sol";

interface IFeed {
    function decimals() external view returns (uint8);
    function latestAnswer() external view returns (uint);
}

interface IKeep3rV2 {
    function current(address tokenIn, uint amountIn, address tokenOut) external view returns (uint256 amountOut, uint lastUpdatedAgo);
}

contract InvFeed is IFeed {
    using SafeMath for uint;

    IKeep3rV2 public keep3rV2Feed;
    IFeed public ethFeed;
    address public inv;
    address public weth;

    constructor(IKeep3rV2 _keep3rV2Feed, IFeed _ethFeed, address _inv, address _weth) public {
        keep3rV2Feed = _keep3rV2Feed;
        ethFeed = _ethFeed;
        inv = _inv;
        weth = _weth;
    }

    function decimals() public view returns(uint8) {
        return 18;
    }

    function latestAnswer() public view returns (uint) {
        // ruleid: keeper-network-oracle-manipulation
        (uint invEthPrice, ) = keep3rV2Feed.current(inv, 1e18, weth);
        return invEthPrice
            .mul(ethFeed.latestAnswer())
            .div(10**uint256(ethFeed.decimals()));
    }

}