Incorrect Price Validation for Long and Short Tokens:
Summary
The KeeperProxy::_validatePrice function contains incorrect price validation logic for the longToken. Specifically, it incorrectly checks the indexTokenPrice instead of the correct longTokenPrice.
Vulnerability Details
In the _validatePrice function, the contract validates the marketData.longToken price using indexTokenPrice, which is incorrect:
This results in improper price validation for long positions, potentially allowing incorrect price discrepancies.
Impact
This bug can cause the following issues:
Incorrect Price Validation: The long token's price is checked against an unrelated index token price, leading to inaccurate price validation.
Potential Exploits: If incorrect price thresholds are used, keepers may be able to execute actions based on invalid price data, causing financial losses.
Operational Issues: The contract may reject valid transactions or accept invalid ones, leading to inefficiencies and potential risks for users.
Tools Used
Manual review
Recommendations
Modify _validatePrice to correctly check longTokenPrice for marketData.longToken:
This fix ensures that each token’s price is validated correctly against its respective price feed.
Lead Judging Commences
finding_validatePrice_no_check_for_longTokenPrice
Likelihood: None/Very Low, everytime the keeper send a price via run/runNextAction (sent by the Gamma keeper). Impact: Medium/High, does not check the longTokenPrice, it could go out of range. Keep in mind indexToken == longToken, an error from the keeper could be considered informational.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.