Zaros Part 1

Summary

A malicious actor can cause the keeper to waste resources trying to execute the vanity orders.

Vulnerability Details

A malicious actor can cause the keeper to expend excess gas by spamming it with vanity transactions. When users create orders, the keeper is responsible for executing these transactions, expending its resources in the process. The cost of this transaction is supposed to be covered by the settlement and order fee received when the order is filled. However, these orders are not always filled. And if there are a lot of unfilled transactions, the keeper ends up expending gas fees on vanity orders. The protocol tries to mitigate spamming the keeper with orders by limiting the number of orders and positions an account can have to one. However, traders can still create a limitless number of trading accounts. This can be exploited at almost no cost to cause the keeper to waste resources trying to execute the orders.

Proof of concept

Attack creates a transaction that does the following actions in a loop for a desired number of times.

• Create a trading account

• Deposit collateral

• Create an order

• Withdraw collateral
  *restart loop

When the keeper tries to execute any of the orders it fails because the account will have insufficient margin balance.

Impact

Loss of treasury funds for the keeper

Tools Used

Manual

Recommendations

The are several strategies that can be employed, including the following.

• Factor in the required margin for the queued order when calculating the available margin during the withdrawal

• Disable withdrawal when the user has a market order queued

• Limit the number of accounts per trader

• Prevent traders from being able to create an account, deposit, create an order, and withdraw in the same transaction