Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Potential DoS on liquidations and other important functionalities

samuraii77

Summary

Potential DoS on liquidations and other important functionalities

Vulnerability Details

Upon functionalities like filling orders and liquidations, we calculate the mark price like this:

function getMarkPrice(
Data storage self,
SD59x18 skewDelta,
UD60x18 indexPriceX18
)
internal
view
returns (UD60x18 markPrice)
{
SD59x18 skewScale = sd59x18(self.configuration.skewScale.toInt256());
SD59x18 skew = sd59x18(self.skew);
SD59x18 priceImpactBeforeDelta = skew.div(skewScale);
SD59x18 newSkew = skew.add(skewDelta);
SD59x18 priceImpactAfterDelta = newSkew.div(skewScale);
SD59x18 cachedIndexPriceX18 = indexPriceX18.intoSD59x18();
UD60x18 priceBeforeDelta = cachedIndexPriceX18.add(cachedIndexPriceX18.mul(priceImpactBeforeDelta)).intoUD60x18();
UD60x18 priceAfterDelta = cachedIndexPriceX18.add(cachedIndexPriceX18.mul(priceImpactAfterDelta)).intoUD60x18();
markPrice = priceBeforeDelta.add(priceAfterDelta).div(ud60x18Convert(2));
}

This function can revert in some cases which would be extremely detrimental to the health of the protocol, especially when liquidating someone. Let's take a look at this particular line:

cachedIndexPriceX18.add(cachedIndexPriceX18.mul(priceImpactBeforeDelta)).intoUD60x18();

We do calculations based on the index price and the price impact (either before or after delta, both lines are vulnerable to reverts). Then, we turn the signed number (SD59x18) into an unsigned one. Thus, if the result of the calculation is a negative number, it will revert. For the calculation to turn out negative, cachedIndexPriceX18.mul(priceImpactBeforeDelta) would have to be a negative number which has an absolute value higher than cachedIndexPriceX18. For that to happen, priceImpactBeforeDelta (or afterDelta for the priceAfterDelta calculation) would have to be < -1e18.

For example, imagine index price is 100e18 and the price impact is -1e18 - 1. Then, the calculation would be . This is a negative number that would revert when turned into an unsigned one. The calculation includes dividing by 1e18 due to the mul() implementation.

Now, the only thing needed is for priceImpactBeforeDelta to be lower than -1e18. This is how it gets its value:

SD59x18 priceImpactBeforeDelta = skew.div(skewScale);

If skewis a negative number (very likely) which has an absolute value higher than skewScale by a large enough amount for it to not round down to 1e18, then the above scenario would occur. Imagine skew = - 10e18 - 10 and skewScale is 10e18. Thus, the calculation would be . Essentially, if the skew goes above the skewScale, then this issue is likely to happen which would be detrimental to the protocol as it can DoS liquidations.

Impact

Potential DoS on liquidations and other important functionalities, likelihood is not very high, impact is critical, thus a medium is appropriate.

Tools Used

Manual Review

Recommendations

Do not unsafe cast

Updates

Lead Judging Commences

inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

samuraii77 Submitter
10 months ago
inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.