Liquidity Management

Summary

The KeeperProxy.sol contract lacks explicit reentrancy protection in several critical functions, leaving them open to reentrancy exploits. Functions such as run(), runNextAction(), cancelFlow(), and cancelOrder() are susceptible to being re-entered by external contracts, which could lead to unintended behavior and manipulation of contract states.

Vulnerability Details

• The contract relies on the inheritance of ReentrancyGuardUpgradeable via Ownable2StepUpgradeable, but this inheritance alone does not apply the reentrancy protection to the critical functions.

• Functions like run(), runNextAction(), cancelFlow(), and cancelOrder() perform external contract calls, which opens the possibility of a malicious contract interacting with these functions, triggering reentrancy.

• Reentrancy exploits typically occur when a contract calls an external contract, which in turn calls back into the contract’s function, leading to unpredictable changes in the state before the original function completes execution.

Impact

• State Manipulation: An attacker can exploit reentrancy to manipulate contract states such as orders, flows, or internal variables by triggering functions multiple times before state changes occur.

• Denial of Service (DoS): Reentrancy may cause the contract to go into an inconsistent state, making it unresponsive or stuck in an unclean state.

• Unexpected Behavior: Functions may not behave as expected. For instance, order cancellation may be performed multiple times, leading to incorrect state transitions.

Tools Used

• Manual code review

Recommendations

• Apply the nonReentrant modifier to the critical functions like run(), runNextAction(), cancelFlow(), and cancelOrder().

• Ensure that all functions interacting with external contracts or calling potentially untrusted external addresses have reentrancy protection to prevent malicious re-execution.