Zaros Part 1

Summary

A critical vulnerability has been identified in the exchange system involving blacklisted addresses for popular ERC20 tokens like USDC. This vulnerability allows malicious actors to exploit the exchange through risk-free trades, particularly using MarketIncrease orders.

Vulnerability Details

Addresses that are blacklisted for popular ERC20 tokens such as USDC can be leveraged to exploit the exchange in a number of ways. These addresses cannot be liquidated in any case where they would be transferred back a leftover collateral amount in a token which they are blacklisted for. Among other ways, blacklisted addresses can execute risk-free trades using MarketIncrease orders in the following way:

1. Force the collateral swap to fail via low liquidity in a niche market.

2. The order cannot be cancelled since the cancellation would attempt to send the token that the user is blacklisted for.

3. Therefore the order will remain in the dataStore until the liquidity is added.

4. Deposit liquidity into the low liquidity market so the MarketIncrease can go through when the attacker wants it to, using out of date prices for a risk-free trade.

Impact

1. Potential for significant financial losses to the protocol

2. Manipulation of market dynamics

3. Undermining of the exchange's integrity and fairness

Tools Used

Manual Review

Recommendations

Be extremely cautious when adding markets with tokens that include a blacklist. Consider implementing checks to see if users are blacklisted and denying them service to the relevant markets.