Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Lack of Input Validation for indexPrice Parameter in PerpMarketBranch.sol

heim

Summary

Description: The getMarkPrice function lacks validation checks for the indexPrice parameter, which could lead to incorrect calculations and unintended behavior by allowing zero or very low values.

Code:

function getMarkPrice(uint128 marketId, uint256 indexPrice, int256 skewDelta) external view returns (UD60x18) {

PerpMarket.Data storage perpMarket = PerpMarket.load(marketId);

return perpMarket.getMarkPrice(sd59x18(skewDelta), ud60x18(indexPrice));

}

Vulnerability Details

Proof of concept
To demonstrate the absence of input validation, consider the following steps:

Deployment and Initialization:

Deploy PerpMarketBranch.
Initialize a market with marketId set to a non-zero value.

Attack Vector:

Call getMarkPrice with indexPrice set to zero. Example:

uint128 marketId = 1;

uint256 indexPrice = 0;

int256 skewDelta = 100; // example skewDelta value

UD60x18 markPrice = perpMarketBranchInstance.getMarkPrice(marketId, indexPrice, skewDelta);

Expected Behavior:
Return an accurate mark price reflecting the market situation.
Actual Behavior:
Returns an incorrect mark price, potentially misleading market participants.

Impact

Medium.
Incorrect mark price calculations can undermine market integrity and affect participant decisions.

Tools Used

Manual code review

Recommendations

Suggested Remediation: Implement a check to ensure indexPrice is greater than zero:

function getMarkPrice(uint128 marketId, uint256 indexPrice, int256 skewDelta) external view returns (UD60x18) {

+ require(indexPrice > 0, "Index price must be greater than zero");

PerpMarket.Data storage perpMarket = PerpMarket.load(marketId);

return perpMarket.getMarkPrice(sd59x18(skewDelta), ud60x18(indexPrice));

}

Updates

Lead Judging Commences

inallhonesty Lead Judge

over 1 year ago

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!