Liquidity Management

Summary

The KeeperProxy contract does not include a fallback mechanism for when the price feed fails or returns invalid values, such as 0, negative values, or values too far from the market price. This could lead to reliance on inaccurate or outdated price information for decision-making, potentially causing financial losses or invalid state changes.

Vulnerability Details

• The function _validatePrice in KeeperProxy.sol is responsible for validating price data against a trusted price feed (Chainlink).

• The code assumes that the price returned by the feed is always valid and does not have a fallback mechanism for scenarios where the feed fails or returns erroneous values, such as 0 or a value outside acceptable thresholds.

• If the price feed fails or returns inconsistent data, this can lead to incorrect pricing decisions.

Impact

• Financial Loss: Using invalid price data can cause incorrect decisions, such as triggering orders at incorrect prices or invalid price-based logic, which could lead to unexpected financial losses.

• State Corruption: The contract could enter an invalid state where future actions are based on faulty price data.

• Reputation Damage: If the price feed fails and there is no fallback, users may lose trust in the system, which could affect adoption and usage.

Tools Used

• Manual code review

Recommendations

• Implement a fallback mechanism to handle price feed failures, such as checking if the returned price is within an acceptable range before proceeding with critical actions.

• Use fallback values or alternative oracles when the primary price feed fails.

• Implement custom exception handling to revert transactions if the price feed is invalid.