Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Input error may lead to liquidation cascade

DedOhwale

https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/GlobalConfigurationBranch.sol#L299-L325

Summary

The process for updating the Market Configuration in GlobalConfigurationBranch lacks a potentially catastrophic validation. This oversight can lead to a situation where nearly all user accounts become liquidatable. Specifically, self.maintenanceMarginRateX18 could be set to an excessively high value, which would disrupt the functionality of isLiquidatable().

Description

In the GlobalConfigurationBranch contract, the function to update the Market Configuration does not include a check to prevent excessively high values for maintenanceMarginRateX18. If this parameter is set too high, it would cause nearly all user accounts to be flagged as liquidatable, severely destabilizing the liquidation market. This issue arises because the only check performed on maintenanceMarginRateX18 is to ensure it is not zero, without verifying that it falls within a reasonable range.

if (abi.encodePacked(params.name).length == 0) {
revert Errors.ZeroInput("name");
}
if (abi.encodePacked(params.symbol).length == 0) {
revert Errors.ZeroInput("symbol");
}
if (params.priceAdapter == address(0)) {
revert Errors.ZeroInput("priceAdapter");
}
if (params.maintenanceMarginRateX18 == 0) {
revert Errors.ZeroInput("maintenanceMarginRateX18");
}
if (params.maxOpenInterest == 0) {
revert Errors.ZeroInput("maxOpenInterest");
}
if (params.maxSkew == 0) {
revert Errors.ZeroInput("maxSkew");
}
if (params.initialMarginRateX18 == 0) {
revert Errors.ZeroInput("initialMarginRateX18");
}
if (params.initialMarginRateX18 <= params.maintenanceMarginRateX18) {
revert Errors.InitialMarginRateLessOrEqualThanMaintenanceMarginRate();
}
if (params.skewScale == 0) {
revert Errors.ZeroInput("skewScale");
}
if (params.minTradeSizeX18 == 0) {
revert Errors.ZeroInput("minTradeSizeX18");
}
if (params.maxFundingVelocity == 0) {
revert Errors.ZeroInput("maxFundingVelocity");
}
if (params.priceFeedHeartbeatSeconds == 0) {
revert Errors.ZeroInput("priceFeedHeartbeatSeconds");
}

Impact

While the probability of this condition occurring is low, as it would likely result from an error by the owner of GlobalConfigurationBranch, the potential impact is significant. If maintenanceMarginRateX18 is set to an excessively high value, the entire ecosystem could be destabilized by making all accounts liquidatable, leading to a cascade of liquidations.

Proof of Concept

The following code snippet shows how isLiquidatable() within TradingAccount.sol determines if an account is liquidatable:

return requiredMaintenanceMarginUsdX18.intoSD59x18().gt(marginBalanceUsdX18);

If requiredMaintenanceMarginUsdX18 is set to an extremely high value, this condition will always evaluate to true, resulting in all accounts being marked as liquidatable.

Tools Used

Manual Review

Recommended Mitigation

Implement Range Check: Add a sanity check to ensure that maintenanceMarginRateX18 is within a reasonable range. This can be done by implementing a revert condition in updatePerpMarketConfiguration to catch nonsensically high values.

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.