Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Price Feed Decimal Mismatch in KeeperProxy Could Lead to Price Validation Bypass

chainsentryaudits

Summary and Impact

The KeeperProxy contract's _check() function makes a critical assumption about Chainlink price feed decimals that contradicts industry standards. The code assumes all Chainlink feeds use 8 decimals, but this isn't universally true. This mismatch could lead to incorrect price validations, potentially allowing positions to be opened or closed at unfair prices.

This vulnerability directly impacts the protocol's core invariant: "Depositor Share Value Preservation". As stated in the documentation, "The value of a depositor's shares should never decrease due to the actions of other depositors." However, if prices are validated incorrectly, this invariant could be violated as users could enter or exit positions at incorrect prices.

Vulnerability Details

In KeeperProxy.sol, the _check() function contains this problematic code:

function _check(address token, uint256 price) internal view {
// https://github.com/code-423n4/2021-06-tracer-findings/issues/145
(, int chainLinkPrice, , uint256 updatedAt, ) = AggregatorV2V3Interface(dataFeed[token]).latestRoundData();
require(updatedAt > block.timestamp - maxTimeWindow[token], "stale price feed");
uint256 decimals = 30 - IERC20Meta(token).decimals();
price = price / 10 ** (decimals - 8); // Chainlink price decimals is always 8.
require(
_absDiff(price, chainLinkPrice.toUint256()) * BPS / chainLinkPrice.toUint256() < priceDiffThreshold[token],
"price offset too big"
);
}

The comment // Chainlink price decimals is always 8 is incorrect. Let's look at a real scenario:

Consider the ETH/USD price feed on Arbitrum (mentioned in project documentation as a supported chain). If a user deposits ETH and the keeper tries to validate the price:

  1. The token decimals (ETH) = 18

  2. The calculation becomes: decimals = 30 - 18 = 12

  3. The price division: price / 10 ** (12 - 8) = price / 10 ** 4

However, if the Chainlink feed uses 18 decimals instead of the assumed 8, this creates a 10^14 magnitude error in the price comparison. A price that should be rejected could pass validation or vice versa.

This is particularly concerning given the protocol's stated use case: "The Perpetual Vault Protocol is a DeFi system that enables users to engage in leveraged trading on the GMX decentralized exchange." Incorrect price validations in a leveraged trading system could lead to significant losses.

Here's a practical example:

// If ETH price is $2000
// Chainlink returns: 2000 * 10^18
// Our validation divides by 10^4 expecting 8 decimals
// Result: Price comparison is off by a factor of 10^14

Tools Used

  • Manual Review

  • Foundry

Recommendations

Modify the _check() function to dynamically fetch the feed's decimals:

function _check(address token, uint256 price) internal view {
AggregatorV2V3Interface feed = AggregatorV2V3Interface(dataFeed[token]);
(, int chainLinkPrice, , uint256 updatedAt, ) = feed.latestRoundData();
require(updatedAt > block.timestamp - maxTimeWindow[token], "stale price feed");
uint8 feedDecimals = feed.decimals();
uint8 tokenDecimals = IERC20Meta(token).decimals();
// Normalize both prices to the same decimal places
uint256 normalizedPrice = price * 10**feedDecimals / 10**tokenDecimals;
require(
_absDiff(normalizedPrice, chainLinkPrice.toUint256()) * BPS / chainLinkPrice.toUint256() < priceDiffThreshold[token],
"price offset too big"
);
}

This solution ensures correct price validation regardless of the feed's decimal places, maintaining the protocol's invariants and protecting user funds.

Updates

Lead Judging Commences

n0kto Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Admin is trusted / Malicious keepers

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point. Keepers are added by the admin, there is no "malicious keeper" and if there is a problem in those keepers, that's out of scope. ReadMe and known issues states: " * System relies heavily on keeper for executing trades * Single keeper point of failure if not properly distributed * Malicious keeper could potentially front-run or delay transactions * Assume that Keeper will always have enough gas to execute transactions. There is a pay execution fee function, but the assumption should be that there's more than enough gas to cover transaction failures, retries, etc * There are two spot swap functionalies: (1) using GMX swap and (2) using Paraswap. We can assume that any swap failure will be retried until success. " " * Heavy dependency on GMX protocol functioning correctly * Owner can update GMX-related addresses * Changes in GMX protocol could impact system operations * We can assume that the GMX keeper won't misbehave, delay, or go offline. " "Issues related to GMX Keepers being DOS'd or losing functionality would be considered invalid."

n0kto Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Admin is trusted / Malicious keepers

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point. Keepers are added by the admin, there is no "malicious keeper" and if there is a problem in those keepers, that's out of scope. ReadMe and known issues states: " * System relies heavily on keeper for executing trades * Single keeper point of failure if not properly distributed * Malicious keeper could potentially front-run or delay transactions * Assume that Keeper will always have enough gas to execute transactions. There is a pay execution fee function, but the assumption should be that there's more than enough gas to cover transaction failures, retries, etc * There are two spot swap functionalies: (1) using GMX swap and (2) using Paraswap. We can assume that any swap failure will be retried until success. " " * Heavy dependency on GMX protocol functioning correctly * Owner can update GMX-related addresses * Changes in GMX protocol could impact system operations * We can assume that the GMX keeper won't misbehave, delay, or go offline. " "Issues related to GMX Keepers being DOS'd or losing functionality would be considered invalid."

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.