Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

`encodeData` in `fillOffchainOrders` do incorrect hashing, leads to EIP712 incompatibility

Panthers

GitHub
https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/SettlementBranch.sol#L249

Summary

According to EIP712:

"The dynamic values bytes and string are encoded as a keccak256 hash of their contents."

However, in SettlementBranch.sol when fillOffchainOrders is called, the salt field is included in the abi.encode call without being hashed first.

Impact

The contract is not compatible with EIP712. This may result in issues with integrators who expect the salt field to be hashed according to the EIP712 specification, potentially leading to signature verification failures & integration problems.

Recommendation

To comply with EIP712, ensure that the salt field is hashed using keccak256 before being included in the abi.encode call. Update the relevant code in the fillOffchainOrders function as follows:

ctx.structHash = keccak256(

abi.encode(

Constants.CREATE_OFFCHAIN_ORDER_TYPEHASH,

ctx.offchainOrder.tradingAccountId,

ctx.offchainOrder.marketId,

ctx.offchainOrder.sizeDelta,

ctx.offchainOrder.targetPrice,

ctx.offchainOrder.shouldIncreaseNonce,

ctx.offchainOrder.nonce,

keccak256(ctx.offchainOrder.salt) // Correctly hash the salt field

)

);

This change will ensure that the dynamic value salt is properly encoded according to EIP712, maintaining compatibility with the standard and preventing potential integration issues.

Updates

Lead Judging Commences

inallhonesty Lead Judge

over 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

0xtheblackpanther Submitter

about 1 year ago

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.