Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Use of uninitialized variable `lastFundingTime` leads to incorrect calcualtions

tedox

Summary

lastFundingTime is used in order to calculate the fundingFeePerUnit but it is not initialized to any value before it is used meaning it is going to be equal to 0 for the first user interacting with the contract which is going to lead to them receiving or paying a much larger funding fee.

Vulnerability Details

When a user's order is executed by the keeper using SettlementBranch::fillMarketOrder the fundingFeePerUnitX18 is calculated by calling PerpMarket::getNextFundingFeePerUnit which after 2 more function calls, calls the function getProportionalElapsedSinceLastFunding. If we take a look at the body of the function we can see it calculates block.timestamp - self.lastFundingTime.

function getProportionalElapsedSinceLastFunding(Data storage self) internal view returns (UD60x18) {

return ud60x18Convert(block.timestamp - self.lastFundingTime).div(

ud60x18Convert(Constants.PROPORTIONAL_FUNDING_PERIOD)

);

}

The problem lies in the fact that self.lastFundingTime will not be initialized for the first transaction in a market when this function is called and it will be equal to 0, making the getProportionalElapsedSinceLastFunding function return a number much bigger than it is supposed to.

The first time lastFundingTime is set is in the next function call inside SettlementBranch::_fillOrder which calls PermMarket::updateFunding

/// @notice Updates the market's funding values.

/// @param self The PerpMarket storage pointer.

/// @param fundingRate The market's current funding rate.

/// @param fundingFeePerUnit The market's current funding fee per unit.

function updateFunding(Data storage self, SD59x18 fundingRate, SD59x18 fundingFeePerUnit) internal {

self.lastFundingRate = fundingRate.intoInt256();

self.lastFundingFeePerUnit = fundingFeePerUnit.intoInt256();

@> self.lastFundingTime = block.timestamp;

}

Impact

The first trade in a market will have its funding fee calculated wrongly which can lead to inaccurate funding fee transfers between users.

Tools Used

Manual review
VS Code

Recommendations

Call PermMarket::updateFunding when a new market is being initialized

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Use of uninitialized variable `lastFundingTime` leads to incorrect calcualtions

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.