Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Magic Number Usage in Price Validation Logic

myssteeque

Description

The price validation(KeeperProxy::_check) function contains multiple magic numbers that affect critical calculations such as:

Decimal arithmetic calculations using hardcoded numbers (30, 8)

Impact

Changes to decimal calculations require careful verification across multiple locations

  • Risk of introducing precision errors during updates

  • Difficulty tracking relationships between different decimal values

  • Reduced code readability due to unclear numerical values

Mitigation

Implementation of proper constants

+uint256 constant CHAINLINK_PRICE_DECIMALS = 8;
+uint256 constant BASE_DECIMALS = 30;
unction _check(address token, uint256 price) internal view {
// https://github.com/code-423n4/2021-06-tracer-findings/issues/145
(, int chainLinkPrice, , uint256 updatedAt, ) = AggregatorV2V3Interface(dataFeed[token]).latestRoundData();
require(updatedAt > block.timestamp - maxTimeWindow[token], "stale price feed");
- uint256 decimals = 30 - IERC20Meta(token).decimals();
+ uint256 decimals = BASE_DECIMALS - IERC20Meta(token).decimals();
- price = price / 10 ** (decimals - 8); // Chainlink price decimals is always 8.
+ price = price / (10 ** (decimals - CHAINLINK_PRICE_DECIMALS));
require(
_absDiff(price, chainLinkPrice.toUint256()) * BPS / chainLinkPrice.toUint256() < priceDiffThreshold[token],
"price offset too big"
);
}
Updates

Lead Judging Commences

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.