Incorrect price validation for long token in KeeperProxy
Summary
The KeeperProxy contract's _validatePrice function incorrectly validates the long token's price. Instead of using the dedicated long token price feed values, the code mistakenly uses the index token price values. This misconfiguration can lead to inaccurate price validations.
Vulnerability Details
Issue:
The function performs validation using the index token price values for the long token:
Instead, the long token's dedicated price feed values should be used to ensure accurate verification.
Risk:
Using the wrong price feed may allow stale or manipulated prices to pass validation, leading to improper keeper actions such as erroneous position adjustments or unintended liquidations.
Impact
Price Manipulation Risk:
Incorrect price validation increases the risk that manipulated or stale prices could be used, potentially triggering inappropriate or harmful protocol operations.
Operational Inaccuracies:
Erroneous price validations may result in inaccurate decisions regarding position adjustments, which could lead to significant financial losses or unexpected liquidations.
Tools Used
Manual code review
Static analysis and comparison against expected oracle usage patterns
Recommendations
Correct the Price Validation Logic:
Update the validation checks to use the correct long token price feed values. For example, change the checks to:
Lead Judging Commences
finding_validatePrice_no_check_for_longTokenPrice
Likelihood: None/Very Low, everytime the keeper send a price via run/runNextAction (sent by the Gamma keeper). Impact: Medium/High, does not check the longTokenPrice, it could go out of range. Keep in mind indexToken == longToken, an error from the keeper could be considered informational.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.