Zaros Part 1

Summary

The getPrice function in the ChainlinkUtil library checks that the price of the asset is not at or below the minPrice. With any protocol that holds liquidation functionality, this check actually does more harm than good. Because of this check, an attacker or any user can open a position right above the minPrice, knowing that they are safe from any possible liquidation. Whenever the price falls below the minPrice, any attempt to liquidate will revert. This allows anyone to create a risk-free position.

Vulnerability Details

The ChainlinkUtil library is used to get the price of an asset at any given time. This feature is core to the functionality of the protocol, as it is used to gauge a user's PnL and execute any order, including a liquidation.

The getPrice function has a check that causes a revert whenever the price is below or at the minPrice, as seen below:

A user would execute this attack during a token crash by calculating what their liquidation threshold price would be when the price of the token is right above the minAnswer with max leverage. Once the liquidation threshold is below the minAnswer, the attacker can then safely create the order to open said position. From there on out, whenever the user is liquidatable, it will fail due to the revert when getting the price. This allows the user to hold the position until a profit has been made, all the while locking the liquidity providers' liquidity by holding the position open that should be getting liquidated. If the skew is not in the user's favor, they would need to occasionally add some collateral to offset the funding fee, as this would essentially raise the liquidation threshold above the minAnswer. But this would be a relatively small amount compared to the profit the attacker would make and the liquidity they would be able to lock.

Example:

• LST token current price is $10.00

• LST minAnswer is $1.00

• LST token crashes to $1.01

• Alice deposits 5,000 USDC as collateral

• Alice calls createMarketOrder for ($500,000)

• Price of asset drops to $0.99

• With almost a 2% drop, Alice's position PnL is -200%, deep into insolvency

• Zaros keepers attempt to liquidate but revert due to answer <= minAnswer

• Time passes and the LST has partially recovered with a price of $1.05

• Alice closes the position with ~400% profit, despite being insolvent for a period of time.

With low likelihood and high impact, a medium severity makes the most sense.

The likelihood is low because it would take abnormal market conditions for the price to reach the minAnswer. However, given we are dealing with a variety of LSTs, this is still a realistic possibility.

The impact is high because an attacker can make a max leverage position with no risk of being liquidated, allowing them to wrongly take large amounts of profit.

Impact

• Users can hold a risk-free position that is impossible to be liquidated.

Tools Used

• Manual analysis

Recommendations

• Modify the check to revert only when the price of the asset is below some multiple of minAnswer. This would ensure that any position made can still be liquidated.