KeeperProxy Allows Stale Price Exploits After L2 Sequencer Downtime
Brief
The KeeperProxy contract’s L2 sequencer price validation mechanism permits stale Chainlink price feeds to remain valid if their configured maxTimeWindow exceeds the 1-hour sequencer recovery period. As a result, the protocol can accept outdated price data during sequencer restarts, allowing attackers to exploit arbitrage opportunities or force inaccurate position valuations based on stale token prices.
Details
The vulnerability comes from how KeeperProxy validates price feeds after a sequencer downtime on L2:
-
The contract checks that an hour (GRACE_PERIOD_TIME) has passed since the sequencer recovered:
uint256 timeSinceUp = block.timestamp - startedAt;require(timeSinceUp > GRACE_PERIOD_TIME, "Grace period is not over"); -
Separately, it ensures each feed has updated within maxTimeWindow, a configurable value lacking an upper bound:
function \_check(address token, uint256 price) internal view {(, , , uint256 updatedAt, ) = AggregatorV2V3Interface(dataFeed\[token]).latestRoundData();require(updatedAt > block.timestamp - maxTimeWindow\[token], "stale price feed");// ...} -
Because maxTimeWindow can be arbitrarily large, a feed may appear valid without actually posting a fresh update after the sequencer downtime. As soon as the one-hour grace period for the sequencer is over, prices that were last updated before downtime could still pass the staleness check if updatedAt is within the high maxTimeWindow.
Attackers can exploit this mismatch by choosing tokens whose feeds remain “fresh” solely because their maxTimeWindow is larger than the required recovery period. By submitting trades or position changes in that window, they can leverage older, potentially advantageous price data instead of updated post-downtime rates.
Specific Impact
The vulnerability enables erroneous or stale price usage in critical vault operations, creating a high risk of manipulated trades, inaccurate liquidations, and potential losses for users and the protocol treasury whenever the sequencer restarts and price feeds are out of sync.
Lead Judging Commences
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Appeal created
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.