Zaros Part 1

Summary

Within OrderBranch.sol::createMarketOrder, certain key user-friendly features have been omitted from convential market orders. Namely, there is no deadline for any created market order by users and there is no slippage to account for periods of high market volatility

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/OrderBranch.sol#L220-L355

Vulnerability Details

Below are all the parameters used for a market order:

Note that they cannot specify a deadline nor slippage.

Since users cannot specify slippage, they leave themself prone to MEV bots and sandwich attacks. Consider the following without slippage protection:

1. MEV bot sees pending market order

2. They quickly place a buy order before the original market order

3. the original order from our user executes at a higher, potentially undesired price point

4. Attacker places a sell order after, dropping the price back down

With slippage protection:

1. Attacker places buy order, increasing the price

2. If the price exceeds the slippage tolerance set by user, original order is not executed

3. Attacker sandwich strategy fails because the manipulated price movement causes the original order to be canceled

Furthermore with slippage, its highly likely that a MEV bot will calculate that this kind of attack is unprofitable and choose not to perform it in the first place, reducing market congestion.

Without a deadline, a user has to manually cancel a market order after they decide that the filling of such an order would be undesireable to them. This is prone to user error, and can have them accidentally leaving stale market orders up due to them being busy with their own life. Furthermore, this will contribute to an ecosystem where bots have these stale orders to play around with to perform various attacks on user funds, creating a hostile environment for human traders.

Impact

While a lack of slippage or deadline will inevitably lead to a minor loss of funds on the users behalf, it is unlikely that the protocol would be damaged too greatly beyond an erosure of user trust. After all Zaros will still be retrieveing their fees from both MEV bots and users. However, it is possible that this hostile ecosystem will drive users out of Zaros into other adjacent markets, decreasing the available pool of users to profit from.

Tools Used

Manual Review

Recommendations

Modify createMarketOrder and fillMarketOrder to accomodate for user deadlines (i.e revert fill if stale deadline) and implement slippage in createMarketOrder to help protect users against competing bots.