Zaros Part 1

Severity: Medium

Summary

The Zaros protocol uses chainlink pricefeeds to fetch the prices of supported tokens. The returned price is always considered to be price in USD. The supported tokens WEETH, and WSTETH do not have USD price feeds on Arbitrum. As a result, the protocol have to update the contracts to combine WEETH/ETH and ETH/USD feeds for the price of WEETH/USD. Similarly for WSTETH, the contracts have to combine WSTETH/ETH and ETH/USD price feeds.

The protocol should not use ETH/USD price for WEETH and WSTETH tokens as the prices are not always 1-1. Using the ETH price could lead to over-estimating or under-estimating user's collateral leading to loss for traders.

For example, if WEETH price is greater than ETH price and protocol uses ETH price for WEETH then

• The trader's deposit in WEETH are under-valued and margin balance will be less than it should be.

• If a trader is liquidated then the trader loses more collateral than they should have because of price difference

Vulnerability Details

see summary.

Impact

The current implementation of the protocol cannot support WEETH and WSTETH tokens without causing losses to traders.

Tools Used

Manual Review

Recommendations

Update the implementation to use combination of price feeds to calculate the target token's price: WEETH/ETH + ETH/USD for WEETH/USD and WSTETH/ETH + ETH/USD for WSTETH