traders may lose their collateral funds because of Arbitrum reorg
Summary
Traders can use createTradingAccount()/depositMargin() to deposit collateral funds. If reorg happens, the malicious user can create one trading account via frontrun, and the victim may deposit their funds to malicious user's account.
Vulnerability Details
In zeros, traders need to create one account and deposit some collateral before traders want to trade. There are two methods to create&deposit collateral:
createTradingAccount()/depositMargin()
createTradingAccountAndMulticall()
Both ways are ok and supported.
For the first way, considering that there're two transactions to create account and deposit collateral. Considering that Optimistic rollups (Optimism/Arbitrum) are suspect to reorgs, malicious users can create the target account via frontrun and receive the victim's collateral.
Poc
Imagine below scenario:
Alice create one trading account, owns NFT 1. Alice deposits some collateral to NFT 1.
Bob has an active bot that observes the blockchain and alerts in reorg.
Bob creates one trading account, owns NFT 1.
Then Alice's tx will be executed, Alice will create another trading account, NFT 2, but deposit collateral to NFT 1.
Alice will lose her collateral funds.
Impact
Users may lose their deposit funds in the reorg process.
Tools Used
Manual
Recommendations
Considering generate some unique salt information for each NFT. And traders can deposit for NFT with specific salt.
Lead Judging Commences
Traders calling createTradingAccount + depositMargin can lose their margins in case of a chain reorg.
Appeal created
Traders calling createTradingAccount + depositMargin can lose their margins in case of a chain reorg.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.