Severity: High

Summary

The SettlementBranch::fillOffchainOrder function does not validate the positions limit for the account and does not ensure the account is not liquidatable before the trade.

Vulnerability Details

The protocol supports market orders and offchain orders. Trader have to call OrderBranch::createMarketOrder for creating market orders. The createMarketOrder performs multiple validations before creating a market order. The validations include account positions limit and account is not liquidatable before the trade.

Positions limit check in the createMarketOrder function: OrderBranch.sol#L285-L291

Liquidatable accounts check in the simulateTrade function:
OrderBranch.sol#L129-L136

The Offchain orders are created offline and are filled using the SettlementBranch::fillOffchainOrder. The fillOffchainOrder does not perform these validations allowing traders to

1. Open positions in more markets than the protocol limit

2. Trade with liquidatable accounts; close losing positions to meet maintenance margin and prevent protocol from liquidating the account.

Exploit Scenario:

• Trader Eve has open Long position in BTC Market of size 100e18

• BTC Maintenance Margin = 0.005e18 of position size = 0.5 BTC for Eve

• Eve has a margin balance of 0.51 WBTC; account is not liquidatable

BTC price decreases and Eve's position incurs loss of 0.1 BTC. Eve's account became liquidatable. Eve has an offchain monitoring system which immediately creates an offchain order to decrease the position size to 50e18.

The offchain order is executed. New size is 50e18 and maintenance margin is 0.25 BTC. Eve's margin balance satisfies the requirement even after considering the fee deductions.

Impact

• Traders can open positions in more markets than the protocol limit

• Liquidatable accounts can perform trades, decrease the position sizes to meet the margin requirements and become non-liquidatable.

Tools Used

Manual Review

Recommendations

Add the positions limit and liquidatable account validations to SettlementBranch contract for offchain orders. Perform these validations in SettlementBranch::_fillOrders function to mitigate other issues as well.