Summary

The protocol supports a list of assets checked in the next section. However, some assets do not have a USD oracle service that can be used with the current price implementation.

Vulnerability Details

The protocol utilizes ChainLink for the price feed of supported assets. It converts the given amount of assets into their USD values to perform various operations such as opening positions, liquidating accounts, and creating market orders. All core features of Zeros rely on the Oracle service for accurate pricing.

List of In-Scope Assets:

Tokens:

• WETH

• WEETH

• WSTETH

• WBTC

• USDC

• USDT

• USDE

• SUSDE

• ERC721 (Zaros Account NFT, AccountNFT.sol)

However, when we check for WSTETH/USD , WEETH/USD and WETH/USD Oracle on ChainLink, there are no such oracle provided.

Assets Without USD Oracle:

• WETH: No clear USD Oracle, but we can use the ETH:USD Oracle here.

• WEETH: No USD Oracle.

• WSTETH: No USD Oracle.

Impact

Tokens without a USD Oracle cannot be traded or utilized on Zeros, despite being within scope and requiring support from the Zeros Protocol. If used, they will report incorrect values, resulting in asset loss for the user.

Tools Used

Manual Review

Recommendations

One way to fix the issue is to first estimate the converted value from the supported assets to their unwrapped forms and then fetch the USD price from the ChainLink oracle.

Fix for WSTETH:

1. Convert WSTETH to STETH using the Lido STETH contract to obtain the value of WSTETH in STETH.

2. Convert STETH to USD using the ChainLink oracle.

Fix for WEETH:

1. Convert WEETH to ETH to obtain the value of WEETH in ETH.

2. Convert ETH to USD using the ChainLink oracle.

There is no actual conversion involved; the converted value can be obtained by calling read-only functions of the respective protocols.