Hardcoded Address
Summary
The contract KeeperProxy has a hardcoded address for the sequencerUptimeFeed in the initialize function. If this feed gets deprecated, the contract will not function correctly.
Vulnerability Details
In the initialize function, the sequencerUptimeFeed is set to a specific address:
This address is hardcoded, meaning it cannot be changed without redeploying the contract. If the feed at this address gets deprecated, the contract will not be able to validate the sequencer uptime, causing it to fail in its operations.
Impact
If the sequencerUptimeFeed gets deprecated, the contract will not be able to perform its intended functions, such as validating prices and executing keeper functions on the PerpetualVault. This can lead to a complete halt in the contract's operations, affecting all users relying on it.
Tools Used
Manual Review
Recommendations
To mitigate this issue, consider implementing a function that allows the owner to update the address of the sequencerUptimeFeed. This way, if the feed gets deprecated or its address changes, the contract can be updated without needing to redeploy it.
Lead Judging Commences
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.