When a user creates an order, it enters a pending state. To activate the order, Zaros' Keeper
must execute fillOrder
. However, there is a critical issue in the process:
Users must deposit collateral when creating an order, but there are no restrictions on modifying it while pending. This allows risk profile manipulation and systemic risks to the protocol. Additionally, users can withdraw all collateral from pending orders, causing undercollateralization and a denial of service (DoS) by preventing order execution.
This problem has been identified in Synthetix protocol in previous audits/PRs:
https://github.com/Synthetixio/synthetix-v3/pull/1711
However, in Zaros, this issue is worsened because users can withdraw all their collateral while having pending orders.
The main issue is that the protocol does not lock the user's collateral when an order is created. The only verification performed is to check if the user has enough collateral to cover their position, as shown below:
In a nutshell, this vulnerability will lead to:
Manipulation Opportunity: Users may reduce their collateral to increase leverage or avoid liquidation, thereby impacting the risk profile and integrity of the system.
Undercollateralization: Withdrawing all collateral makes pending orders undercollateralized, leading to DoS when trying to fill the order.
A user places a large order in the perpetual futures market with a specific amount of collateral, committing to a defined risk profile.
The order enters a pending state and is waiting to be filled.
Changing Market Conditions:
Market conditions may shift unfavorably against the user’s position while the order is pending.
Manipulation Opportunity:
Without restrictions, the user could reduce their collateral before the order is executed, increasing leverage with the same exposure but less collateral.
Consequences of Reduced Margin:
Increased Leverage: Reducing collateral increases leverage, magnifying potential gains or losses.
Avoiding Liquidation: Users may avoid liquidation by staying just above the threshold, exposing the protocol to significant risk if the market moves against them post-execution.
Systemic Risk:
Allowing changes to collateral during the pending state undermines risk management and fair liquidation processes, potentially leading to greater losses than the protocol can handle.
A user places a large order in the perpetual futures market with a specific amount of collateral, committing to a defined risk profile.
The order enters a pending state and is waiting to be filled.
User withdraws all collateral before the order is filled
Keeper
cannot fill the order as there isn't enough collateral for that position.
Add the following test to checkLiquidatableAccounts.t.sol
and run: forge test --match-test testWithdrawBeforeFillingOrder_isPossible_leadingToDoS_or_manipulatingLeverage -vv
Output:
The user can withdraw all his collateral before filling the order.
Keeper triggers DoS(insufficient margin) when trying to fill the order.
Increased Leverage: User can amplify potential gains or losses by reducing collateral.
Avoidance of Liquidation: User can avoid liquidation and continue to hold high-risk positions.
Denial of Service (DoS): Undercollateralized orders prevent execution(fill order), disrupting market operations.
Systemic Risk: As filling undercollateralized orders is not possible, it will compromise the protocol's ability to manage risk and enforce fair liquidation, potentially leading to substantial financial losses.
Manual Review
Foundry
Synthetix previous audit:
Synthetix discussion about locking user collateral: https://github.com/Synthetixio/synthetix-v3/pull/1711
Lock the user collateral when he/she has pending orders. This can be done by adding a check on deposit/withdraw margin functions, if the user has pending orders he cannot change his collateral.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.