Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

There is no guarantee that the Chainlink Stream price and the Chainlink Feed price will remain anchored

Oblivionis

Summary

In the current Zaros protocol design, the liquidation-related logic uses quotes from the Chainlink Stream, while the execution of user orders uses quotes from the Chainlink Feed. Currently there is no logic restricting the anchoring of these two prices, which can lead to a number of potential problems.

Please note this issue does not depend on Chainlink's error - Both Chainlink Feed and Chainlink Stream are TRUSTED and behave normally.

Vulnerability Details

According to Chainlink DoC:

Price Feeds | Chainlink Documentation

Chainlink Data Feeds provide data that is aggregated from many data sources by a decentralized set of independent node operators.

Data Streams Liquidity-Weighted Bid-Ask Prices (LWBA) | Chainlink Documentation

A Liquidity-Weighted price considers the Bid and Ask prices based on the available liquidity at each price level in the order books. This method weights price data by the volume of assets available at each price point, and provides a more accurate reflection of market conditions where larger orders would significantly impact the price.

Due to differences in the underlying design, when both Feed and Stream are working properly, there is no guarantee that the price anchors of both. In fact, IndexPrice (fetched from Chainink feed) is likely to fall outside the ASK-BID price band(fetched from Chainink stream).

Here are some potential impacts:

IndexPrice < BID Price < ASK Price

Users with short positions can trade at prices above the liquidation price and can reduce their position size to avoid being liquidated.

Users who open short positions can use less initial margin (compared to their BID price)
BID Price < ASK Price < IndexPrice

Users with long positions can trade at prices above the liquidation price and can reduce their position size to avoid being liquidated.

Users who open long positions can use less initial margin (compared to their ASK price)

Impact

Likelihood: medium - Chainlink Feed will always lag behind Chainlink Stream when prices change drastically(due to the heartbeat and deviation method)

Impact: medium - When this happens, certain users cannot trade normally and certain users can trade accounts that should be liquidated.

Severity: Medium

Tools Used

Manual review

Recommendations

Acknowledge this risk, maybe add relevant depeg-prevention.

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

Oblivionis Submitter

about 1 year ago

Oblivionis Submitter

about 1 year ago

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.