Misuse of Index Token Price for Long Token Validation in KeeperProxy
Summary
The contract mistakenly uses indexTokenPrice to validate the price of the long token. This leads to an incorrect comparison when verifying the long token’s price because it references the wrong field (prices.indexTokenPrice instead of a prices.longTokenPrice).
Vulnerability Details
In the _validatePrice function:
It reuses prices.indexTokenPrice for the long token checks. If longToken is not the same as indexToken, then the long token’s price is never validated properly against its own values.
Impact
Medium
Tools Used
Manual
Recommendations
Fixed code:
Lead Judging Commences
finding_validatePrice_no_check_for_longTokenPrice
Likelihood: None/Very Low, everytime the keeper send a price via run/runNextAction (sent by the Gamma keeper). Impact: Medium/High, does not check the longTokenPrice, it could go out of range. Keep in mind indexToken == longToken, an error from the keeper could be considered informational.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.