Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

When liquidating openInterest and skew are set to 0

auditism

Summary

After liquidation skew and open Interest are set to zero.

Vulnerability Details

During the unfortunate event of a liquidation, in each market assets of the liquidatee are emptied. However instead of updating the the skew and open interest, both are set to 0.

perpMarket.updateOpenInterest(ctx.newOpenInterestX18, ctx.newSkewX18);

This happens because ctx.newOpenInterestX18 and ctx.newSkewX18 default to zero.

Impact

The balance of the skew is lost after liquidation, now skew which is an important parameter in the order pricing loses its relevance

Tools Used

Manual review

Recommendations

Consider adding this function in order to calculate both skew and openInterest after liquidations:

function openInterestAndSkewAfterLiquidation(

Data storage self,

SD59x18 sizeDelta,

SD59x18 oldPositionSize,

SD59x18 newPositionSize

)

internal

view

returns (UD60x18 newOpenInterest, SD59x18 newSkew)

{

// load max & current open interest for this perp market uint128 -> UD60x18

UD60x18 maxOpenInterest = ud60x18(self.configuration.maxOpenInterest);

UD60x18 currentOpenInterest = ud60x18(self.openInterest);

newOpenInterest =

currentOpenInterest.sub(oldPositionSize.abs().intoUD60x18()).add(newPositionSize.abs().intoUD60x18());

SD59x18 maxSkew = ud60x18(self.configuration.maxSkew).intoSD59x18();

// int128 -> SD59x18

SD59x18 currentSkew = sd59x18(self.skew);

// calculate new skew

newSkew = currentSkew.add(sizeDelta);

}

And add it to the loop:

function liquidateAccounts(uint128[] calldata accountsIds) external {

. . .

tradingAccount.updateActiveMarkets(ctx.marketId, ctx.oldPositionSizeX18, SD59x18_ZERO);

+ (ctx.newOpenInterestX18, ctx.newSkewX18) = checkOpenInterestLimitsAfterLiquidation(ctx.liquidationSizeX18, ctx.oldPositionSizeX18, SD59x18_ZERO)

perpMarket.updateOpenInterest(ctx.newOpenInterestX18, ctx.newSkewX18);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

`liquidateAccounts` calls `updateOpenInterest` with uninitialized OI and skew)

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.