No way to send ETH into the protocol, this causes `ChainlinkUtil.verifyReport` to revert since no ETH fee will be sent with the call
Summary
ChainlinkUtil.verifyReport sends out ETH but the PerpsEngine contract does not hold ETH therefore it will always revert. The PerpsEngine contract does not implement a receive or fallback function to accept ETH.
Vulnerability Details
The code makes it obvious that a fee in ETH is sent with the call to the chainlinkVerifier contract.
Chainlink also stated clearly in their docs
You pay to verify reports from Data Streams onchain using the verifier contract. You pay per report verified. If you verify multiple reports in a batch, you pay for all of the reports included in that batch.
The verification price is 0.35 USD per report.
Here is the SettlementConfiguration.verifyDataStreamsReport() that calls ChainlinkUtil.verifyReport
Clearly a fee is calculated by calling getEthVericationFee and then passed into ChainlinkUtil.verifyReport
Taking a look now at ChainlinkUtil.verifyReport
It sends the previously calcualted fee as ETH in the function call chainlinkVerifier.verify
The issue is that the PerpsEngine contract does not implement a receive or fallback function so that the protocol can send ETH to it
Impact
Keepers cannot fill orders since ChainlinkUtil.verifyReport always reverts
There is no way to send ETH into the contract to pay the verify report fee
Tools Used
Manual Review
Recommendations
Implement a receive function
Lead Judging Commences
No means for the PerpEngine to receive native to pay the Chainlink Verifier in case Chainlinks charges fees to the protocol
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.