Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Incorrect assumption of Chainlink Price Feed Decimals

hi_there

Summary

The KeeperProxy contract's _check() function makes an unsafe assumption that all Chainlink price feeds have 8 decimal places. This assumption is incorrect as Chainlink price feeds have different decimal depending on the asset and feed configuration.

assuming oracle price precision is an ERROR :- Example Example2 & More


BTC / ETH & LINK / ETH , on arbitrum have 18 decimals

since it is hardcoded it is not extensible, if in future more price feeds are added, other than 8 decimals

Vulnerability Details

In the _check function: Check Function

  • The function hardcodes an assumption that Chainlink price feeds use 8 decimals.

  • However, Chainlink price feeds on arbitrum vary in precision. For example:

    ETH / USD → 8 decimals ✅ (assumption holds)\

    BTC / ETH → 18 decimals ❌ (assumption fails)

BTC / ETH feed uses 18 decimals, leading the division to result in an incorrectly scaled price.

Impact

  • Incorrect price validations

  • Wrong price comparisons

  • System malfunction with price feeds that don't use 8 decimals

Tools Used

Manual Review

Recommendations

Query the price feed's decimals instead of assuming 8

Updates

Lead Judging Commences

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

hi_there Submitter
5 months ago
0xl33 Auditor
5 months ago
n0kto Lead Judge
5 months ago
n0kto Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.