Missing Oracle RoundId Validation in KeeperProxy
Summary
The KeeperProxy contract's _check() function relies solely on timestamp validation to prevent stale oracle prices. While the contract checks that the price update timestamp is within an acceptable window, this alone does not guarantee the price data is from the latest oracle round. The absence of roundId validation means the system could accept stale price data even when the timestamp check passes.
Vulnerability Details
The issue is that updatedAt > block.timestamp - maxTimeWindow[token] only verifies the age of the price data, not whether it's the latest round available from the oracle.
Impact
Use of outdated prices even when newer ones are available
Trading at incorrect prices
POC
Oracle reports price data for roundId N
Network congestion occurs
Oracle updates to roundId N+1
Due to congestion, the node serving the contract is still seeing roundId N
System processes transactions using stale price data from roundId N
Trades execute at incorrect prices
Tools Used
Manual Review
Recommendations
Lead Judging Commences
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.