Hardcoded sequencer uptime feed will fail on Avalanche
Summary
The KeeperProxy contract hardcodes the Chainlink sequencer uptime feed address for Arbitrum, but Avalanche lacks a sequencer uptime feed, breaking core protocol functionality on Avalanche.
Vulnerability Details
According to the README, contracts should be compatible with Arbitrum and Avalanche.
In KeeperProxy.sol, the Arbitrum sequencer uptime feed address is hardcoded in the intialize function:
The problem is that there's no sequencer uptime feed on Avalanche, so any calls from keepers to KeeperProxy.sol will revert.
Users would be able to deposit into an Avalanche perpetual vault, but the position would never be able to be opened, breaking core functionality of the protocol.
Impact
Breaks core protocol functionality.
Tools Used
Manual review.
Recommendations
If the chain is Avalanche, skip the sequencer uptime check.
Lead Judging Commences
finding_Avalanche_has_no_sequencer
Likelihood: High, run and runNextAction will revert. Impact: Low, any deposit will be retrieve thanks to cancelFlow.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.