solidity.security.keeper-network-oracle-manipulation.keeper-network-oracle-manipulation
semgrep
Author
unknown
Download Count*
License
Keep3rV2.current() call has high data freshness, but it has low security, an exploiter simply needs to manipulate 2 data points to be able to impact the feed.
Run Locally
Run in CI
Defintion
rules:
- id: keeper-network-oracle-manipulation
message: Keep3rV2.current() call has high data freshness, but it has low
security, an exploiter simply needs to manipulate 2 data points to be
able to impact the feed.
metadata:
category: security
technology:
- solidity
cwe: "CWE-682: Incorrect Calculation"
confidence: HIGH
likelihood: LOW
impact: HIGH
subcategory:
- vuln
references:
- https://twitter.com/peckshield/status/1510232640338608131
- https://twitter.com/FrankResearcher/status/1510239094777032713
- https://twitter.com/larry0x/status/1510263618180464644
- https://andrecronje.medium.com/keep3r-network-on-chain-oracle-price-feeds-3c67ed002a9
- https://etherscan.io/address/0x210ac53b27f16e20a9aa7d16260f84693390258f
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Other
patterns:
- pattern: $KEEPER.current($TOKENIN, $AMOUNTIN, $TOKENOUT);
languages:
- solidity
severity: WARNING
Examples
keeper-network-oracle-manipulation.sol
pragma solidity ^0.5.16;
import "./SafeMath.sol";
interface IFeed {
function decimals() external view returns (uint8);
function latestAnswer() external view returns (uint);
}
interface IKeep3rV2 {
function current(address tokenIn, uint amountIn, address tokenOut) external view returns (uint256 amountOut, uint lastUpdatedAgo);
}
contract InvFeed is IFeed {
using SafeMath for uint;
IKeep3rV2 public keep3rV2Feed;
IFeed public ethFeed;
address public inv;
address public weth;
constructor(IKeep3rV2 _keep3rV2Feed, IFeed _ethFeed, address _inv, address _weth) public {
keep3rV2Feed = _keep3rV2Feed;
ethFeed = _ethFeed;
inv = _inv;
weth = _weth;
}
function decimals() public view returns(uint8) {
return 18;
}
function latestAnswer() public view returns (uint) {
// ruleid: keeper-network-oracle-manipulation
(uint invEthPrice, ) = keep3rV2Feed.current(inv, 1e18, weth);
return invEthPrice
.mul(ethFeed.latestAnswer())
.div(10**uint256(ethFeed.decimals()));
}
}
Short Link: https://sg.run/lkEo