Zaros Part 1

Summary

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/external/chainlink/keepers/liquidation/LiquidationKeeper.sol#L61-L65

Due to batch-processing liquidations on accounts, an ecosystem is generated where malicious traders my exploit a highly predictable coming market to exploit users.

Vulnerability Details

When the number of liquidatable accounts are low, checkUpkeep will return (false, uint128[]), with the first element being a boolean flag indicating that liquidatable accounts are not ready for batch processing and the second being an array of all trading accounts being subject to liquidation. Armed with this information, malicious traders may monitor any calls to LiquidationKeeper::checkUpkeep in order to exploit coming market changes contingent on user liquidation.

Since the liquidation of users have the potential to heavily influence the market. MEV bots can frontrun liquidations by either creating new market orders or filling existing market orders contingent on upcoming liquidations. Under conditions such as liquidatableAccountIds.length == performLowerBound - 1, MEV bots gain large amounts of insight into coming market conditions, and will enable them to make trades that benefit them at the cost of user positions. After selling to confirm their short-term gains, these bots can simply continue monitoring future calls to checkUpkeep to wait for the next trading opportunity.

Impact

The predictability introduced by this batch processing mechanism can have severe consequences:
1) Market Manipulation: Malicious traders can front-run or manipulate the market by exploiting the known timing of liquidations
2) User Exploitation: Regular users may suffer significant losses due to sudden and manipulated market movements driven by those with foreknowledge of liquidation events
3) Protocol Integrity: The trust and stability of the protocl may be compromised, leading to a loss in user confidence and participation

Tools Used

Manual Review

Recommendations

Handle Liquidations as they come as opposed to batch processing. This will lower the impact on the market as only individual accounts will be liquidated as opposed to a batch of them, ensuring that MEV bots can only frontrun a singular liquidation at a time, as apposed to a great batch of them.