Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

User can continue trading activities even if market or settlement configuration is disabled

cryptomoon

Summary

The current logic for determining whether a position is being increased is flawed. It allows users to increase their position size in other direction by specifying an absolute value of sizeDelta that is more than their current position size.

Vulnerability Details

If the perpMarketis not enabled for trading or it's settlementConfigurationis not enabled, then the checks are present in code to ensure that users can only decrease their size or close the position. Due to this, new positions in that market can't be opened or existing position can't be increased.

However, the checks present is not sufficient and user can still trade when markets and settlement can be disabled. Due to insufficient check, user can convert their long position to short or their short position to long. This is not desirable since users are only allowed to decrease their size or close the position. The users can change their long position to short by entering sizeDelta (in absolute terms) more than abs(position.size) + minTradeSize. This is not desirable because trading activity will still be enabled due to bypassing of checks by users.

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/OrderBranch.sol#L262

// determine whether position is being increased or not

ctx.isIncreasing = Position.isIncreasing(params.tradingAccountId, params.marketId, params.sizeDelta);

if (ctx.isIncreasing) {

// both checks revert if disabled

globalConfiguration.checkMarketIsEnabled(marketId);

settlementConfiguration.checkIsSettlementEnabled();

}

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/SettlementBranch.sol#L367-L380

ctx.isIncreasing = Position.isIncreasing(tradingAccountId, marketId, sizeDeltaX18.intoInt256().toInt128());

// both markets and settlement can be disabled, however when this happens we want to:

// 1) allow open positions not subject to liquidation to decrease their size or close

// 2) prevent new positions from being opened & existing positions being increased

// the idea is to prevent a state where traders have open positions but are unable

// to reduce size or close even though they can still be liquidated; such a state

// would severly disadvantage traders

if (ctx.isIncreasing) {

// both checks revert if disabled

globalConfiguration.checkMarketIsEnabled(marketId);

settlementConfiguration.checkIsSettlementEnabled();

}

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/leaves/Position.sol#L155-L172

function isIncreasing(

uint128 tradingAccountId,

uint128 marketId,

int128 sizeDelta

)

internal

view

returns (bool)

{

Data storage self = Position.load(tradingAccountId, marketId);

// If position is being opened (size is 0) or if position is being increased (sizeDelta direction is same as

// position size)

// For a positive position, sizeDelta should be positive to increase, and for a negative position, sizeDelta

// should be negative to increase.

// This also implicitly covers the case where if it's a new position (size is 0), it's considered an increase.

return self.size == 0 || (self.size > 0 && sizeDelta > 0) || (self.size < 0 && sizeDelta < 0);

}

Proof of concept:

Below is the modified test named test_WhenThePositionIsBeingDecreasedOrClosedin createMarketOrder.t.sol. Line 39in below test is modified. In the original test, the assumption was that if market is disabled, only the position can be decreased or closed. However, we increased user's long position to short instead of closing it.

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/test/integration/perpetuals/order-branch/createMarketOrder/createMarketOrder.t.sol#L182-L222

function test_WhenThePositionIsBeingDecreasedOrClosed()

external

givenTheAccountIdExists

givenTheSenderIsAuthorized

whenTheSizeDeltaIsNotZero

givenThePerpMarketIsDisabled

{

// give naruto some tokens

uint256 marginValueUsdc = 100_000e6;

int128 userPositionSizeDelta = 10e18;

deal({ token: address(usdc), to: users.naruto.account, give: marginValueUsdc });

// naruto creates a trading account and deposits their tokens as collateral

changePrank({ msgSender: users.naruto.account });

uint128 tradingAccountId = createAccountAndDeposit(marginValueUsdc, address(usdc));

// naruto opens first position in BTC market

openManualPosition(

BTC_USD_MARKET_ID, BTC_USD_STREAM_ID, MOCK_BTC_USD_PRICE, tradingAccountId, userPositionSizeDelta

);

// protocol operator disables settlement for the BTC market

changePrank({ msgSender: users.owner.account });

SettlementConfiguration.DataStreamsStrategy memory marketOrderConfigurationData = SettlementConfiguration

.DataStreamsStrategy({ chainlinkVerifier: IVerifierProxy(mockChainlinkVerifier), streamId: BTC_USD_STREAM_ID });

SettlementConfiguration.Data memory marketOrderConfiguration = SettlementConfiguration.Data({

strategy: SettlementConfiguration.Strategy.DATA_STREAMS_DEFAULT,

isEnabled: false,

fee: DEFAULT_SETTLEMENT_FEE,

keeper: marketOrderKeepers[BTC_USD_MARKET_ID],

data: abi.encode(marketOrderConfigurationData)

});

perpsEngine.updateSettlementConfiguration(

BTC_USD_MARKET_ID, SettlementConfiguration.MARKET_ORDER_CONFIGURATION_ID, marketOrderConfiguration

);

// naruto attempts to close their position

changePrank({ msgSender: users.naruto.account });

// naruto position remains opened

openManualPosition(

BTC_USD_MARKET_ID, BTC_USD_STREAM_ID, MOCK_BTC_USD_PRICE, tradingAccountId, -userPositionSizeDelta - 5e18

);

}

Impact

The user can still continue their trading activities even though the marketand settlementConfigurationis disabled by admin.

Tools Used

Manual Review

Recommendations

The case where position is not increasing, another check should be added to ensure that abs(sizeDelta)should be less than or equal to abs(positionSize).

// determine whether position is being increased or not

ctx.isIncreasing = Position.isIncreasing(params.tradingAccountId, params.marketId, params.sizeDelta);

if (ctx.isIncreasing && abs(sizeDelta) < abs(position.size)) {

// both checks revert if disabled

globalConfiguration.checkMarketIsEnabled(marketId);

settlementConfiguration.checkIsSettlementEnabled();

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Disable market limitation can be bypassed

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.