Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Unauthorized Market Order update on MarketOrder.sol : : update()

sidhack3r11

Summary

This report addresses a significant security vulnerability in a smart contract system, which allows unauthorized users to manipulate market order data. The vulnerability arises from inadequate access controls and input validation in the update function.

Vulnerability Details

function update(Data storage self, uint128 marketId, int128 sizeDelta) internal {
self.marketId = marketId;
self.sizeDelta = sizeDelta;
self.timestamp = uint128(block.timestamp);
}

Lack of Access Control: The update function does not implement any mechanisms to restrict who can call it. This means any user can execute this function, potentially modifying market order data without proper authorization.

For example

The update function is intended to set or modify market orders, where marketId refers to a specific market, and sizeDelta represents the change in order size.

Initial State:
- Market ID: 1
- Size Delta: 100 (indicating a buy order of 100 units)
- Timestamp: The time when the order was created
Now Unauthorized access
Unauthorized User Action: An attacker who can call the update function without authorization inputs the following:
- Market ID: 999 (an invalid or non-existent market)
- Size Delta: -500 (a large negative value indicating a sell order)

Incorrect Market Data:

Market ID: The attacker sets the market ID to 999, which may not exist in the system. This leads to inconsistencies where the system references a non-existent market.
Size Delta: Setting a large negative sizeDelta could result in a substantial incorrect sell order being processed. This could affect trading operations and potentially lead to unintended trades or liquidations.

Here's a test example that demonstrates how an attacker could exploit the update function vulnerability:

Setup the Exploit Scenario

The MarketOrder library has an update function that lacks access control.
An unauthorized user will attempt to call update with arbitrary values.

Writing the Exploit in Foundry

First, set up your environment. In your lib or contracts folder, you should have the MarketOrder library and its dependencies. Then, create a new test file in the test directory.

// SPDX-License-Identifier: UNLICENSED

pragma solidity ^0.8.25;

import "forge-std/Test.sol";

import "../lib/MarketOrder.sol";

import "../lib/GlobalConfiguration.sol";

contract MarketOrderExploitTest is Test {

using MarketOrder for MarketOrder.Data;

MarketOrder.Data private marketOrderData;

address unauthorizedAddress = address(0x123);

function setUp() public {

// Set up initial conditions for the test

marketOrderData.marketId = 1;

marketOrderData.sizeDelta = 100;

marketOrderData.timestamp = uint128(block.timestamp);

}

function testUnauthorizedUpdate() public {

// Simulate an unauthorized account trying to update the market order

vm.prank(unauthorizedAddress); // Set the next call's sender to unauthorizedAddress

// Attempt to update the market order with unauthorizedAddress

try marketOrderData.update(2, 200) {

// This block will execute if the call does not revert

assertEq(marketOrderData.marketId, 2, "Market ID should be updated to 2");

assertEq(marketOrderData.sizeDelta, 200, "Size delta should be updated to 200");

emit log("Exploit succeeded: Unauthorized update allowed.");

} catch {

// This block will execute if the call reverts

emit log("Exploit failed: Unauthorized update not allowed.");

}

Unauthorized Update Test:

The testUnauthorizedUpdate function simulates an unauthorized account attempting to update a market order.
vm.prank(unauthorizedAddress) changes the msg.sender to unauthorizedAddress for the next call.
The call to marketOrderData.update(2, 200) attempts to update the market order with new values

Impact

Financial Impact:

Losses for Users: If the attacker is able to alter orders in a way that affects the market price or trading balances, users may suffer financial losses due to incorrect trades.
Market Manipulation: By setting invalid or extreme values, the attacker could manipulate the market conditions, causing volatility and potentially exploiting price movements for profit

Operational Disruptions:

Data Integrity Issues: Incorrect market IDs and order sizes can corrupt the contract's state, leading to errors in transaction processing and user balances.

Tools Used

Manual Review

Recommendations

Implement Proper Validation: Ensure that all inputs to the update function are validated according to the contract’s requirements.

For e.g we can add some validation checks in update functiom.

// Validation checks require(marketId > 0, "Invalid marketId");

require(sizeDelta != 0, "Invalid sizeDelta"); // Adjust as needed based on business rules

Use Access Control: Ensure that only authorized entities can call functions that modify the contract state.

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.