Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Missing checks in determining datastreams report validity

cryptomoon

Summary

The function related to settlement of orders needs to check whether the priceDatais valid or not. However, some of the checks are missing which may result in stale price being used for order.

Vulnerability Details

Below is the function:

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/leaves/SettlementConfiguration.sol#L87-L103

function requireDataStreamsReportIsValid(

bytes32 streamId,

bytes memory verifiedReportData,

uint256 maxVerificationDelay

)

internal

view

{

PremiumReport memory premiumReport = abi.decode(verifiedReportData, (PremiumReport));

if (

streamId != premiumReport.feedId

|| block.timestamp > premiumReport.validFromTimestamp + maxVerificationDelay

) {

revert Errors.InvalidDataStreamReport(streamId, premiumReport.feedId);

}

PremiumReportstruct is as follows:

struct PremiumReport {

bytes32 feedId; // The feed ID the report has data for

uint32 validFromTimestamp; // Earliest timestamp for which price is applicable

uint32 observationsTimestamp; // Latest timestamp for which price is applicable

uint192 nativeFee; // Base cost to validate a transaction using the report, denominated in the chain’s native

// token (WETH/ETH)

uint192 linkFee; // Base cost to validate a transaction using the report, denominated in LINK

uint32 expiresAt; // Latest timestamp where the report can be verified on-chain

int192 price; // DON consensus median price, carried to 8 decimal places

int192 bid; // Simulated price impact of a buy order up to the X% depth of liquidity utilisation

int192 ask; // Simulated price impact of a sell order up to the X% depth of liquidity utilisation

}

The function requireDataStreamsReportIsValiddoesn't check if the price data is valid at block.timestamp. It also doesn't check if the report is expired or not. Due to this, orders may be filled with expired price data. Also, the keepercan also be any users for the protocol. So, they can feed expired price data for order settlement causing traders to get unfair prices.

The function is being used at following places:

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/SettlementBranch.sol#L138-L139

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/SettlementBranch.sol#L209-L210

Impact

Users may get their orders filled using expired price data.

Tools Used

Manual

Recommendations

Add following check in the mentioned function

if (

streamId != premiumReport.feedId

|| block.timestamp > premiumReport.validFromTimestamp + maxVerificationDelay

|| block.timestamp > expiresAt || block.timestamp > observationsTimestamp

) {

revert Errors.InvalidDataStreamReport(streamId, premiumReport.feedId);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

There is a chance of consuming stale reports

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!