Insecure Keep3rV2 Oracle Manipulation
Description
The Keep3rV2.current() call has high data freshness but low security. An exploiter can manipulate 2 data points to impact the feed, posing a significant risk.
Examples
Insecure Code
solidity
keeper.current(tokenIn, amountIn, tokenOut);Secure Code
solidity
keeper.current(tokenIn, amountIn, tokenOut, additionalValidation());Remediation
Implement additional security measures to prevent oracle manipulation, such as using a more secure oracle or implementing robust data validation.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0495 |
| Category | Crypto |
| Severity | HIGH |
| CWE | CWE-682 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | LOW |
| Exploitability | MODERATE |
| Tags | oracle manipulation, keep3rV2 |
| OWASP | N/A |
References
- https://etherscan.io/address/0x210ac53b27f16e20a9aa7d16260f84693390258f
- https://andrecronje.medium.com/keep3r-network-on-chain-oracle-price-feeds-3c67ed002a9
- https://twitter.com/peckshield/status/1510232640338608131
- https://twitter.com/larry0x/status/1510263618180464644
- https://twitter.com/FrankResearcher/status/1510239094777032713