Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect Price Validation Logic in Order Filling leading to certain financial losses.

TeamRockSolid

Summary

The implementation of price validation for order filling is incorrect and leads to outcomes directly opposite of intented behaviour. This can lead to orders being filled at unfavorable prices, which causes financial losses for users.

Vulnerability Details

In SettlementBranch:fillOffchainOrders, a check is performed to ensure that the price filled is valid. The fill price should never be higher than the target price with a buy order and never be lower with a sell order.
However, the code implements exactly the opposite. It allows buy orders to be filled at prices higher than the target price and sell orders at prices lower than the target price.

This will certainly lead to financial losses to users.

Example:

Buy order: A user wants to buy an apple with a target price of $5. They expect to pay $5 or less, but the current logic would allow the purchase at prices above $5.

Sell order: A user wants to sell an orange for $10. They expect to sell at $10 or higher, but the current logic would allow the sale at prices below $10.

Note that the NatSpec comments correctly describe how the code is supposed to work but the implementation is the complete opposite.

// if the order increases the trading account's position (buy order), the fill price must be less than or

// equal to the target price, if it decreases the trading account's position (sell order), the fill price

// must be greater than or equal to the target price.

ctx.isFillPriceValid = (ctx.isBuyOrder && ctx.offchainOrder.targetPrice <= ctx.fillPriceX18.intoUint256())

|| (!ctx.isBuyOrder && ctx.offchainOrder.targetPrice >= ctx.fillPriceX18.intoUint256());

The implemented logic

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/SettlementBranch.sol#L283-L287

Impact

There will be financial losses to overpayment with buy orders and under receiving payment with sell orders.

The impact is High and the likelyhood is guaranteed, so we believe this findings merits a High severity.

Tools Used

Manual Review

Recommendations

Reverse the comparison operators in the price validation logic to align with the intended behavior.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

fillOffchainOrders inverses the comparison between `fillPrice` and `targetPrice`

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!