Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

When transfering the NFT associated to a TradingAccount, the old owner can grief the new owner by leaving an opened MarketOrder that will be executed even though the old owner is not the owner of the TradingAccount.

0xstalin

## Summary

Old Owner of a TradingAccount can grief the new owner by leaving an opened MarketOrder that will be executed even though the old owner is not the current owner of the TradingAccount.

## Vulnerability Details

[When filling a MarketOrder](https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/SettlementBranch.sol#L107-L166), there are no validations to check if the MarketOrder associated to the TradingAccount was indeed created by the current owner of the TradingAccount, the execution assumes that the market order was indeed created by the TradingAccount's owner.

The problem with assuming that the owner of the TradingAccount was the one who created the MarketOrder is that, this allows a grieffing vector that when transfering accounts among users, the existing owner can create a MarketOrder, then transfer the NFT (and subsequently transfer the ownership of the TradingAccount), and, after that, the MarketOrder created by the old owner is still active and will be able to be filled, regardless of the new owner.

The [`AccountNFT._update() function`](https://github.com/Cyfrin/2024-07-zaros/blob/main/src/account-nft/AccountNFT.sol#L23-L28) is called as part of the execution to transfer the NFT associated to the TradingAccount, but, the MarketOrder of the account is not canceled.

```

function _update(address to, uint256 tokenId, address auth) internal virtual override returns (address) {

address previousOwner = super._update(to, tokenId, auth);

//@audit => Notifies the engine about the new owner of the TradingAccount

IPerpsEngine(owner()).notifyAccountTransfer(to, tokenId.toUint128());

return previousOwner;

}

```

## Impact

The old Owner of a TradingAccount can grief the new owner by leaving an opened MarketOrder that can affect the PnL of the position.

## Tools Used

Manual Audit

## Recommendations

When calling the [`AccountNFT._update() function`](https://github.com/Cyfrin/2024-07-zaros/blob/main/src/account-nft/AccountNFT.sol#L23-L28) to notify the PerpsEngine contract about the new owner of the TradingAccount, also make sure to erase the MarketOrder associated to the TradingAccount, in this way, the new owner will receive the TradingAccount with an empty Market Order.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

When a user creates an order and then transfers the account NFT, pending orders should clear

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.