Price Manipulation via Outdated Oracle Data
Summary
The KeeperProxy contract fails to properly validate oracle price freshness, allowing attackers to manipulate price feeds and execute trades at stale prices.
Vulnerability Details
The function
_validatePrice()checks Chainlink oracle prices but only verifies timestamps.
There is no check for significant price deviations between on-chain and Chainlink oracle data.
Attackers can delay price updates, causing the contract to accept outdated (manipulated) prices.
This allows bad actors to exploit price mismatches in leveraged positions.
PoC
Manipulate Off-Chain Data: Delay Chainlink updates while executing trades on GMX.
Trigger a Vault Operation: Call
runNextAction()with outdatedMarketPrices.Profit from the Discrepancy: Exploit price difference for unfair advantages in leverage positions.
Impact
Arbitrage Exploits: Attackers can use outdated prices to open risk-free arbitrage positions.
Liquidation Manipulation: Malicious users can force liquidations at incorrect prices.
Denial of Service (DoS): If price updates are intentionally delayed, vault operations may stall.
Tools Used
Manual review
Recommendations
Implement price deviation checks between Chainlink and on-chain oracle data.
Reject operations where price deviation exceeds a defined threshold (e.g., 1%).
Require multiple oracle sources to confirm price validity.
Lead Judging Commences
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.