Summary

The GlobalConfigurationBranch contract contains critical functions for updating token addresses, specifically setTradingAccountToken and setUsdToken. These functions allow for immediate changes to core token addresses without any transition period or mechanism to handle ongoing operations. This abrupt change can lead to severe issues with fund management, potentially resulting in lost or stuck assets.

https://github.com/Cyfrin/2024-07-zaros/blob/69ccf428b745058bea08804b3f3d961d31406ba8/src/perpetuals/branches/GlobalConfigurationBranch.sol#L179C3-L188C6

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/GlobalConfigurationBranch.sol#L192C5-L201C6

Vulnerability Details

1: Admin updates the USD token address.

2: mmediately after the update, a user initiates a withdrawal of USD tokens.

3: The withdrawal function, which hasn't been updated to use the new address, attempts to transfer tokens from the old address.

4: The withdrawal fails, potentially leaving the user's funds stuck in the contract.

Impact

1: Lost Funds: Users interacting with the old token address immediately after an update may send funds to an address no longer recognized by the system.

2: Stuck Assets: Existing balances or ongoing transactions using the old token address may become inaccessible or unprocessable.

3: Inconsistent State: Parts of the system may reference the old address while others use the new one, leading to system-wide inconsistencies.

4: Failed Operations: Critical operations like trades, liquidations, or withdrawals may fail unexpectedly due to the sudden address change.

Tools Used

Manual review

Recommendations

1: Implement a time-lock mechanism for address updates

2: Implement a migration mechanism for handling existing balances and operations.

3: Add version control to token interactions, allowing the system to recognize and handle both old and new addresses during a transition period.