Hardcoded `sequencerUptimeFeed` Address
Summary
The KeeperProxy contract initializes the sequencerUptimeFeed variable with a hardcoded address (0xFdB631F5EE196F0ed6FAa767959853A9F217697D) instead of allowing it to be updated dynamically. This can lead to operational issues if the sequencer uptime feed contract address changes or needs to be adjusted for different deployments.
Vulnerability Details
In the initialize function, the contract sets sequencerUptimeFeed to a fixed address:
Impact
Since the address is hardcoded it cannot be updated after deployment, meaning any changes to the sequencer uptime feed contract would require redeployment and if the sequencer uptime feed contract is upgraded or replaced, the KeeperProxy contract may fail to function correctly, as it will continue referencing the outdated contract.
Therefore the inability to update sequencerUptimeFeed can lead to failure in the _validatePrice function, preventing valid transactions from executing if the sequencer uptime feed is deprecated or changed and it also reduces the contract adaptability across networks and potential system downtime if the hardcoded feed becomes unreliable.
Tools
Manual Review
Recommendations
Introduce a setter function to allow updates to sequencerUptimeFeed by the contract owner:
Lead Judging Commences
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.