Zaros Part 1

Summary

The update function within the MarketOrder library lacks input validation for the marketId and sizeDelta parameters. This oversight could lead to the storage of invalid or malicious data, potentially causing unintended consequences within the perpetuals trading system.

Vulnerability Details

The update function directly modifies the marketId, sizeDelta, and timestamp fields of a MarketOrder struct without performing any checks on the validity or appropriateness of the input values. This could allow for:

• Invalid Market IDs: An incorrect marketId could be set, potentially linking a market order to a non-existent or incorrect market.

• Manipulated Order Sizes: A malicious actor could set an extreme sizeDelta value, potentially disrupting market dynamics or triggering unintended liquidations.

• Incorrect Timestamps: An incorrect timestamp could be set, leading to errors in order processing or calculations based on the order's age.

https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/leaves/MarketOrder.sol#L43-L47

Impact

Invalid or manipulated market orders could disrupt the normal functioning of the perpetuals market, leading to unexpected price movements, incorrect calculations, and potential financial losses for users.

Tools Used

Manual Review

Recommendations

Add input validation checks to the update function to ensure that the marketId and sizeDelta parameters are within acceptable ranges and meet the requirements of the system.