Zaros Part 1

Summary

Zaros uses off-chain oracles and keepers for order execution. This setup could lead to issues if there are significant delays between order creation and execution, potentially using outdated prices and causing unfair PnL or liquidation events.

Vulnerability Details

Delayed Execution: Significant delays between order creation and execution could result in using outdated prices, not reflecting the market conditions at the time of order creation.

Example Scenario

A trader creates a market order to long 10 ETH at the current market price.
This is done through OrderBranch::createMarketOrder.

The order is placed in a pending queue.
A keeper, a trusted role in the protocol, is responsible for filling this order.
The keeper uses an off-chain oracle to fetch the current price of ETH.

Time Delay:
There is a significant delay between the order creation and the keeper executing the order.

For example, the trader creates the order at t=1 , but the keeper fills it at t=2.

At t=1:

The price of ETH is $1,500.
The trader expects to buy 10 ETH at this price, costing $15,000.

At t=2:

Due to market volatility, the price of ETH has risen to $1,600.

The keeper fetches this new price from the off-chain oracle.

Impact

Unfair PnL: Users may gain or lose more than they deserve due to price discrepancies.

Unfair Liquidations: Users may be liquidated unfairly, impacting their trading accounts.

The trader's order is executed at $1,600 instead of the expected $1,500.

The trader ends up paying $16,000 for 10 ETH, $1,000 more than anticipated.

This discrepancy can lead to unfair PnL (Profit and Loss) and potential liquidation issues.

Tools Used

Manual Review

Recommendations

Slippage Protection: Implement slippage protection mechanisms to prevent execution at unfavorable prices.