Zaros Part 1

Summary:

The absence of pausable functionality in the most of the smart contracts significantly increases the risk exposure of the protocol. This oversight prevents administrators from halting operations during emergencies, potentially leading to prolonged exploits and financial losses.

Vulnerability Details:

• Root Cause: The TradingAccountBranch contract does not include a mechanism to pause its operations, such as inheriting from OpenZeppelin's Pausable contract or implementing a custom pausable feature in the withdrawMargin and depositMargin functions.

• Impact: The inability to pause the contract in response to security threats or operational issues can result in:

  • Extended duration of exploits, leading to more substantial financial losses.

  • Inability to perform emergency maintenance or upgrades safely.

  • Increased risk of systemic failures due to dependency issues or market manipulations.

Code Snippets:

https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/TradingAccountBranch.sol

https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/SettlementBranch.sol

https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/PerpMarketBranch.sol

https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/OrderBranch.sol

https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/LiquidationBranch.sol

https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/GlobalConfigurationBranch.sol

Impact:

1. Prolonged Exploits: The lack of pausable functionality allows exploits to continue unchecked, potentially leading to extensive financial damage. Vulnerabilities can be exploited over a longer period, resulting in more assets being drained from the protocol.

2. Emergency Response: The protocol's ability to respond swiftly to critical issues is limited without pausable functionality. Operational downtime and delays in deploying fixes or updates can exacerbate problems and increase the risk of further exploits.

3. User Trust: Confidence in the protocol's security and reliability may be undermined. Users may withdraw funds and cease using the platform if they believe their assets are not adequately protected, leading to reduced liquidity and overall participation.

4. Financial Losses: Significant monetary loss can occur due to prolonged exploits and vulnerabilities, affecting both the protocol's reserves and users' funds. The absence of a mechanism to halt operations increases the risk of financial damage.

Tools Used:

Manual Analysis

Recommendations:

Implement Pausable Functionality:

• Integrate OpenZeppelin's Pausable contract into the most of the smart contracts.

• Add whenNotPaused modifiers to all critical functions that affect user funds and protocol operations.

• Provide a mechanism for authorized administrators to pause and unpause the contract in emergencies.

Implementing these recommendations will enhance the protocol's resilience, allowing for effective management of unforeseen issues and safeguarding user assets.