Wrong assumption in price safety mechanism
Summary
In Keeper Contract there is mechanism to compare the price with the chainlink price feed which is kind of safety feature. As per sponsor they can use any erc20 token pair of market for vault in GMX they are not just limited USDC pair. So while comparing with price we assuming the data feed of chainlink always return with 8 decimal, which is actually not true there are some price feed which return answer in the 18 decimal. Some example of these price feed are
Arbitrum:
BTC/ETH : 0xc5a90A6d7e4Af242dA238FFe279e9f2BA0c64B2e
Link/ETH: 0xb7c8Fb1dB45007F98A68Da0588e1AA524C317f27
PEPE/USD: 0x02DEd5a7EDDA750E3Eb240b54437a54d57b74dBE
SHIB/USD: 0x0E278D14B4bf6429dDB0a1B353e2Ae8A4e128C93
Vulnerability Details
So the team is assuming manually all chainlink price decimal to 8, but as some have 18 as well.
Impact
This could cause multiple issue,
Wrong comparison of price we are making up price as per chainlink 8 decimals.
big diff would cause the function to revert,
It make the safety feature ineffective
Tools Used
Manual Review
Recommendations
Instead of assuming it to 8, right way would be fetching the decimals from feed directly and working according it.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.