Submission Details
Severity:
`SettlementConfiguration.requireDataStreamsReportIsValid` does not check `ask` and `bid` values.
Summary
SettlementConfiguration.requireDataStreamsReportIsValid does not check ask and bid values.
Vulnerability Details
requireDataStreamsReportIsValid
does not check ask and bid values. They are int192, so must be checked if they are positive and ask is greater than bid.
if (
streamId != premiumReport.feedId
|| block.timestamp > premiumReport.validFromTimestamp + maxVerificationDelay
) {
revert Errors.InvalidDataStreamReport(streamId, premiumReport.feedId);
}
Impact
Invalid premiumReport.ask or bid can be used as a mark price and cause wrong profit/loss to users.
Tools Used
Manual
Recommendations
Update as below.
if (
streamId != premiumReport.feedId
|| block.timestamp > premiumReport.validFromTimestamp + maxVerificationDelay
+ || premiumReport.ask <= 0 || premiumReport.bid <= 0 || premiumReport.ask < premiumReport.bid
) {
revert Errors.InvalidDataStreamReport(streamId, premiumReport.feedId);
}
https://github.com/Cyfrin/2024-07-zaros/blob/7439d79e627286ade431d4ea02805715e46ccf42/src/perpetuals/leaves/SettlementConfiguration.sol#L97-L103
Prize pool breakdown
Total prize
60,000 USDC
nSLOC
2,87821 USDC / LOC
50,000 USDC
5,500 USDC
4,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.