Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Missing Update for `priceFeedHeartbeatSeconds` in `MarketConfiguration.update` Function

brene

Summary

The priceFeedHeartbeatSeconds parameter in MarketConfiguration.sol is not updated, yet it is used in PerpMarket.sol to validate the freshness of price data. This can lead to the use of stale price data or unexpected reverts in the system.

Vulnerability Details

The priceFeedHeartbeatSeconds parameter is not updated within the update function as seen in the following code;

struct Data {

string name;

string symbol;

address priceAdapter;

uint128 initialMarginRateX18;

uint128 maintenanceMarginRateX18;

uint128 maxOpenInterest;

uint128 maxSkew;

uint128 maxFundingVelocity;

uint128 minTradeSizeX18;

uint256 skewScale;

OrderFees.Data orderFees;

uint32 priceFeedHeartbeatSeconds

}

/// @notice Updates the given market configuration.

/// @dev See {MarketConfiguration.Data} for parameter details.

function update(Data storage self, Data memory params) internal {

self.name = params.name;

self.symbol = params.symbol;

self.priceAdapter = params.priceAdapter;

self.initialMarginRateX18 = params.initialMarginRateX18;

self.maintenanceMarginRateX18 = params.maintenanceMarginRateX18;

self.maxOpenInterest = params.maxOpenInterest;

self.maxSkew = params.maxSkew;

self.maxFundingVelocity = params.maxFundingVelocity;

self.minTradeSizeX18 = params.minTradeSizeX18;

self.skewScale = params.skewScale;

self.orderFees = params.orderFees;

}

The unupdated priceFeedHeartbeatSeconds parameter is then called in PerpMarket.getIndexPrice function

Impact

The priceFeedHeartbeatSeconds parameter will not reflect the updated value, leading to potential mismatches between the intended and actual market configurations. This can cause issues in the price feed mechanism, potentially leading to operational disruptions or incorrect market behavior.

Tools Used

Manual Review

Recommendations

Modify the MarketConfiguration.update function to include the priceFeedHeartbeatSeconds parameter as follows

function update(Data storage self, Data memory params) internal {

self.name = params.name;

self.symbol = params.symbol;

self.priceAdapter = params.priceAdapter;

self.initialMarginRateX18 = params.initialMarginRateX18;

self.maintenanceMarginRateX18 = params.maintenanceMarginRateX18;

self.maxOpenInterest = params.maxOpenInterest;

self.maxSkew = params.maxSkew;

self.maxFundingVelocity = params.maxFundingVelocity;

self.minTradeSizeX18 = params.minTradeSizeX18;

self.skewScale = params.skewScale;

self.orderFees = params.orderFees;

+ self.priceFeedHeartbeatSeconds = params.priceFeedHeartbeatSeconds;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

`MarketConfiguration::update` function lacks `priceFeedHeartbeatSeconds` argument

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.