Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Potential Indefinite Denial of Service in `fillOffchainOrders` Due to Reverting Checks

pelz

Summary

The fillOffchainOrders function in SettlementBranch.sol can cause an indefinite denial of service (DoS) to the protocol if one of the checks within the loop reverts. This issue can prevent all other off-chain orders from being processed until the problematic order is manually resolved, potentially leading to significant disruptions in the protocol's operation.

Vulnerability Details

The fillOffchainOrders function processes multiple off-chain orders by verifying various conditions and executing them based on provided details. However, if any order within the batch fails a check (e.g., if sizeDelta is zero), the function will revert, causing the entire transaction to fail. This behavior can lead to an indefinite DoS as other valid orders will not be processed until the offending order is addressed.

Detailed Explanation

When the fillOffchainOrders function is called, it iterates through each off-chain order, performing several checks and operations. If any check fails, the function reverts, and no further orders are processed. For instance, if ctx.offchainOrder.sizeDelta is zero, the function reverts with an error. Since the function is called by Chainlink keepers, which might process multiple orders in one transaction, the failure of a single order can block all subsequent orders in the same batch.

function fillOffchainOrders(

uint128 marketId,

OffchainOrder.Data[] calldata offchainOrders,

bytes calldata priceData

)

external

onlyOffchainOrdersKeeper(marketId)

{

// working data

FillOffchainOrders_Context memory ctx;

// fetch storage slot for perp market's offchain order config

SettlementConfiguration.Data storage settlementConfiguration =

SettlementConfiguration.load(marketId, SettlementConfiguration.OFFCHAIN_ORDERS_CONFIGURATION_ID);

// fetch storage slot for perp market

PerpMarket.Data storage perpMarket = PerpMarket.load(marketId);

// fetch storage slot for global config

GlobalConfiguration.Data storage globalConfiguration = GlobalConfiguration.load();

// verifies provided price data following the configured settlement strategy

// returning the bid and ask prices

(ctx.bidX18, ctx.askX18) =

settlementConfiguration.verifyOffchainPrice(priceData, globalConfiguration.maxVerificationDelay);

// iterate through off-chain orders; intentionally not caching

// length as reading from calldata is faster

for (uint256 i; i < offchainOrders.length; i++) {

ctx.offchainOrder = offchainOrders[i];

// enforce size > 0

if (ctx.offchainOrder.sizeDelta == 0) {

revert Errors.ZeroInput("offchainOrder.sizeDelta");

}

// load existing trading account; reverts for non-existent account

TradingAccount.Data storage tradingAccount =

TradingAccount.loadExisting(ctx.offchainOrder.tradingAccountId);

// enforce that keeper is filling the order for the correct marketId

if (marketId != ctx.offchainOrder.marketId) {

revert Errors.OrderMarketIdMismatch(marketId, ctx.offchainOrder.marketId);

}

// First we check if the nonce is valid, as a first measure to protect from replay attacks, according to

// the offchain order's type (each type may have its own business logic).

if (ctx.offchainOrder.nonce != tradingAccount.nonce) {

revert Errors.InvalidSignedNonce(tradingAccount.nonce, ctx.offchainOrder.nonce);

}

ctx.structHash = keccak256(

abi.encode(

Constants.CREATE_OFFCHAIN_ORDER_TYPEHASH,

ctx.offchainOrder.tradingAccountId,

ctx.offchainOrder.marketId,

ctx.offchainOrder.sizeDelta,

ctx.offchainOrder.targetPrice,

ctx.offchainOrder.shouldIncreaseNonce,

ctx.offchainOrder.nonce,

ctx.offchainOrder.salt

)

);

// If the offchain order has already been filled, revert.

if (tradingAccount.hasOffchainOrderBeenFilled[ctx.structHash]) {

revert Errors.OrderAlreadyFilled(ctx.offchainOrder.tradingAccountId, ctx.offchainOrder.salt);

}

// `ecrecover`s the order signer.

ctx.signer = ECDSA.recover(

_hashTypedDataV4(ctx.structHash), ctx.offchainOrder.v, ctx.offchainOrder.r, ctx.offchainOrder.s

);

// ensure the signer is the owner of the trading account, otherwise revert.

if (ctx.signer != tradingAccount.owner) {

revert Errors.InvalidOrderSigner(ctx.signer, tradingAccount.owner);

}

// cache the order side

ctx.isBuyOrder = ctx.offchainOrder.sizeDelta > 0;

// buy order -> match against the ask price

// sell order -> match against the bid price

ctx.indexPriceX18 = ctx.isBuyOrder ? ctx.askX18 : ctx.bidX18;

// verify the provided price data against the verifier and ensure it's valid, then get the mark price

// based on the returned index price.

ctx.fillPriceX18 = perpMarket.getMarkPrice(sd59x18(ctx.offchainOrder.sizeDelta), ctx.indexPriceX18);

// if the order increases the trading account's position (buy order), the fill price must be less than or

// equal to the target price, if it decreases the trading account's position (sell order), the fill price

// must be greater than or equal to the target price.

ctx.isFillPriceValid = (ctx.isBuyOrder && ctx.offchainOrder.targetPrice <= ctx.fillPriceX18.intoUint256())

|| (!ctx.isBuyOrder && ctx.offchainOrder.targetPrice >= ctx.fillPriceX18.intoUint256());

// we don't revert here because we want to continue filling other orders.

if (!ctx.isFillPriceValid) {

continue;

}

// account state updates start here

// increase the trading account nonce if the order's flag is true.

if (ctx.offchainOrder.shouldIncreaseNonce) {

unchecked {

tradingAccount.nonce++;

}

// mark the offchain order as filled.

// we store the struct hash to be marked as filled.

tradingAccount.hasOffchainOrderBeenFilled[ctx.structHash] = true;

// fill the offchain order.

_fillOrder(

ctx.offchainOrder.tradingAccountId,

marketId,

SettlementConfiguration.OFFCHAIN_ORDERS_CONFIGURATION_ID,

sd59x18(ctx.offchainOrder.sizeDelta),

ctx.fillPriceX18

);

}

Impact

If the fillOffchainOrders function reverts due to any check failure within the loop, it will prevent all subsequent orders from being processed. This can cause a backlog of unfilled orders, leading to significant delays and potential financial losses for users and the protocol. Additionally, if users are not liquidated when they should be, they could bypass liquidation if the price moves in their favor, potentially resulting in bad debt for the protocol.

Tools Used

Manual review

Recommendations

If any of the checks that rely on users order is likely to revert use continue instead of revert.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

fillOffchainOrders reverts everything if a single order fails one of the multiple checks

If you send 1 cancel and 1 create it should still run the cancel, not revert everything.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!