Chainlink Uptime Registry address should be made configurable in storage to avoid redployments
Summary
intialize() function under KeeperProxy.sol uses hardcoded contract address of upkeep but it is not recommended as per chainlink documentation. Please refer the same as It applies for all up keep contract addresses
Vulnerability Details
Here is the code:
Impact
Main calls to the protocol, like runAction(), runNextAction() will always fail if chainlink upgrades the address of its upkeep contract. Since this protocol lacks upgradability, it risks halting all operations dependent on Chainlink price feeds when an update becomes necessary.
Tools Used
Manual Review
Recommendations
Mandatory: Must make the address configurable
Optional: Make the contracts upgradable to mitigate any issues discovered in future
Optional: Have a backup Oracle as last option like - TWAP
Lead Judging Commences
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.