Missing slippage control for market order
Summary
It's risky not setting slippage control for market order, as there is no guarantee the order would be filled immediately after creation.
Vulnerability Details
When a trader creates an market order, they specify sizeDelta and leave to the market to decide the fill price, as well as the position leverage.
When the order is filled, the order's fill price is determined by the index price and the skew.
Traders expect that the protocol performs like the traditional centralized perpetual market, that the market order could be filled immediately and the fill price does not deviates far from the price when trader created the order. Unfortunately, this is a false assumption.
Like any other decentralized protocol, the order filling transaction would be pending for any reason (sequencer is down, gas price went up, validator does not include TX, etc) and there could be significant market fluctuation before the order is actually filled, trader becomes subject to liquidation due to high leverage.
Impact
A position could be opened with an extremely high leverage, a minor fluctuation could lead to major loss to the trader, and the position may be liquidated in the end.
Tools Used
Manual Review
Recommendations
Add slippage control for market order, trader should be allowed to set the max leverage they feel comfortable with, order filling transaction should be reverted if the actual leverage is higher than the leverage trader specified.
Lead Judging Commences
fillMarketOrder lacks slippage protection
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.