Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

The priceFeedHeartbeatSeconds variable is missing from the update function and cannot be set. As a result, a priceFeed check will practically always revert.

TeamRockSolid

Summary

The marketConfiguration is set through the MarketConfiguration.update function. However, the priceFeedHeartbeatSeconds variable is missing from the update function. The default value of 0 cannot be changed which means every price check will revert due to Errors.OraclePriceFeedHeartbeat(address(priceFeed)).

Vulnerability Details

MarketConfiguration.Data is updated through the MarketConfiguration.update function, but the Data.priceFeedHeartbeatSeconds variable is missing. Therefore, even if the MarketConfiguration.update function passes in the priceFeedHeartbeatSeconds parameter, it cannot be assigned a value.
Since the priceFeedHeartbeatSeconds variable cannot be assigned a value, the initial value is maintained at 0.
The Data.priceFeedHeartbeatSeconds variable is used by the getIndexPrice function to check when getting the price. It indicates the maximum acceptable timeout.

try priceFeed.latestRoundData() returns (uint80, int256 answer, uint256, uint256 updatedAt, uint80) {

if (block.timestamp - updatedAt > priceFeedHeartbeatSeconds) {

revert Errors.OraclePriceFeedHeartbeat(address(priceFeed));

}

···

} catch {

revert Errors.InvalidOracleReturn();

}

As shown in the code, since priceFeedHeartbeatSeconds is always 0, the price can only be obtained correctly when block.timestamp<=updatedAt. That is, the price can only be obtained correctly at the moment when the priceFeed price is updated. Which is practically impossible.

Impact

The impact is high since it breaks all price requests and the likelyhood is 100%, so we believe this merits a High severity.

Tools Used

Manual Review

Recommendations

Update the update function so that it will correctly set the priceFeedHeartBeatSeconds variable.

function update(Data storage self, Data memory params) internal {

self.name = params.name;

self.symbol = params.symbol;

self.priceAdapter = params.priceAdapter;

self.initialMarginRateX18 = params.initialMarginRateX18;

self.maintenanceMarginRateX18 = params.maintenanceMarginRateX18;

self.maxOpenInterest = params.maxOpenInterest;

self.maxSkew = params.maxSkew;

self.maxFundingVelocity = params.maxFundingVelocity;

self.minTradeSizeX18 = params.minTradeSizeX18;

self.skewScale = params.skewScale;

self.orderFees = params.orderFees;

+ self.priceFeedHeartbeatSeconds = params.priceFeedHeartbeatSeconds;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

`MarketConfiguration::update` function lacks `priceFeedHeartbeatSeconds` argument

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!