Liquidity Management

Summary

The KeeperProxy::_validatePrice function presents a vulnerability that could cause a one-hour downtime in the system when the Chainlink Sequencer is restarted. This issue prevents the use of the KeeperProxy contract, as well as the KeeperProxy::runNextAction and KeeperProxy::run functions. This situation can negatively impact the protocol's functionality and user experience.

Vulnerability Details

Location:

_validatePrice function in the KeeperProxy.sol contract.

https://github.com/CodeHawks-Contests/2025-02-gamma/blob/84b9da452fc84762378481fa39b4087b10bab5e0/contracts/KeeperProxy.sol#L167-L168

Description:

The _validatePrice function is used to verify the accuracy of prices fetched from Chainlink data feeds.

It checks whether the Sequencer is operational and enforces a "grace period" (buffer time) after a restart.

The GRACE_PERIOD_TIME constant is defined as 3600 seconds (1 hour).

When the Sequencer is restarted, the _validatePrice function applies a one-hour waiting period. During this time, price validation fails, preventing system operations (such as opening or closing positions).

Impact

Critical operations may be delayed, which can negatively affect system reliability and user experience.

In the event of a Sequencer restart, no new positions can be opened or existing positions closed until the one-hour grace period expires. This may lead to service interruptions in the system.

Tools Used

Manual Review

Recommendations

Alternative Price Sources: In addition to the Chainlink Sequencer, multiple independent price sources could be used to verify prices. This would reduce the system's reliance on a single data source and minimize downtime.

Dynamic "Grace Period" Duration: The grace period duration could be dynamically adjusted based on market conditions or the reliability of the Sequencer. For instance, if the Sequencer is frequently restarted, the grace period could be shortened or completely eliminated.