Zaros Part 1

https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/OrderBranch.sol#L242
https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/SettlementBranch.sol#L107

Summary

A vulnerability has been identified in the market order process within the OrderBranch.sol and SettlementBranch.sol contracts. The absence of a deadline and slippage parameter in market orders can lead to undesired execution of orders at unfavorable prices, caused by delays or failures of the Chainlink keepers responsible for order settlement.

Description

In the current implementation, the createMarketOrder() function within OrderBranch.sol initiates the market order creation process. However, the subsequent order settlement is handled by the fillOrder() function in SettlementBranch.sol, which is performed by Chainlink keepers. These keepers, being autonomous agents, are subject to delays or downtime.

Due to the lack of a deadline and slippage parameters, a market order might be filled at an unspecified time in the future at a potentially unfavorable price. This behavior can lead to significant financial losses for users who expect their orders to be executed within a certain time frame and price range.

Impact

The vulnerability can cause market orders to be filled at undesirable times and prices, leading to financial losses for users. The risk is exacerbated by the reliance on Chainlink keepers, whose operational reliability can vary. Users might find their orders executed long after their intended submission, possibly at prices that are significantly worse than expected.

Proof of Concept

Consider the following scenario:

1. Alice creates a market sell order using createMarketOrder().

2. The chainlink keeper has a short delay before taking action.

3. Within this delay, a cascade of liquidations occur and the price drops significantly.

4. Alice is filled with a market sell after a liquidation event occurs, which she may initially believed she has dodged.

This would lead to a lack of integrity for Zaros, along with a potential loss of customers.

Tools Used

Manual Review

Recommended Mitigation Steps

1. Add Deadline Parameter: Introduce a deadline parameter in the createMarketOrder() function to specify the maximum acceptable time for order fulfillment.

2. Add Slippage Parameter: Include a slippage parameter to ensure the order is filled within an acceptable price range.

3. Modify fillOrder Function: Update the fillOrder() function to respect the deadline and slippage constraints.