DeFiFoundry
50,000 USDC
View results
Submission Details
Severity: low
Invalid

The `KeeperProxy` doesn't validate if a price exceeds the min/max price

Summary

The KeeperProxy doesn't validate if a price exceeds the min/max price

Vulnerability Details

Lets take into consideration the ETH/USD price feed on arbitrum, since it will be user to fetch the USD price of WETH. if we go to the address of the price feed (0x639Fe6ab55C921f74e7fac1ee960C0B6293ba612) and then to address of the aggregator (0x3607e46698d218B3a5Cae44bF381475C0a5e2ca7) we can see that the min/maxAnswer variables have values different than minAnswer = 1 and maxAnswer = 95780971304118053647396689196894323976171195136475135. This is a problem because if the price of the corresponding asset exceeds those min/maxAnswer variables, the price starts being invalid and actually harmful for the protocol and its users

Impact

There is possibility that the price exceeds the min/maxAnswer, which will make the price harmful and invalid

Tools Used

Manual review

Recommendations

compare the returned price with the min/maxAnswer and revert if it exceeds them

Updates

Lead Judging Commences

n0kto Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.