Zaros Part 1

Summary

The protocol breaks its deposit cap for USDz by minting tokens to its users' margin balance when unrealized profit and loss are settled.

Vulnerability Details

When a trader is profitable, the protocol pays them their due unreliazed PnL in USDz. This system of uPnL settlement causes the protocol to break its deposit cap invariant. When traders deposit collateral, the protocol always validates that the deposit cap for that collateral type is not exceeded. However, the deposit cap can't always hold for USDz because the accounts must be paid the unrealized PnL, and the way the protocol does that is by minting them USDz tokens. So if an account is already at its maximum deposit for USDz, any uPnL sent to its balance will break the deposit limitation of USDz for that account.

Areas of interest:
Traders positive uPnL are sent to their account
https://github.com/Cyfrin/2024-07-zaros/blob/69ccf428b745058bea08804b3f3d961d31406ba8/src/perpetuals/branches/SettlementBranch.sol#L481-L484

Deposit cap is enforced
https://github.com/Cyfrin/2024-07-zaros/blob/69ccf428b745058bea08804b3f3d961d31406ba8/src/perpetuals/branches/TradingAccountBranch.sol#L330-L340

Proof of Concept

Protocol USDz deposit limit: $1000
Trader's USDz margin balance: $900
Trader's current unrealized PnL: $200

Given the above scenario, if the trader attempts to deposit $200 worth of USDz collateral tokens, the transaction will revert because the account will be attempting to go over the maximum deposit cap.
However, if the user opens a new trade, and their uPnL is settled, their USDz margin will increase by $200 worth of USDz, effectively breaking the collateral deposit limits.

Impact

The protocol enforces this rule to keep the risk exposure of the system at a manageable level, and this setup pushes the protocol beyond their desired risk appetite.

Tools Used

Manual

Recommendations

Consider other alternative approach to settling unrealized profit and loss