Zaros Part 1

Summary

Oracle can return the stale price.

Vulnerability Details

The ChainlinkUtil:getPrice function is utilized to obtain price data using the Chainlink oracle. The sequencerUptimeFeed is a critical component in this process, ensuring that the price data is not outdated and confirming that the sequencer is operational.
https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/external/chainlink/ChainlinkUtil.sol#L41-L57

However, if the sequencerUptimeFeed is not present, the function does not halt execution. This means that even if the sequencerUptimeFeed is missing for a particular asset, the transaction will still proceed.

This absence can lead to potential issues where stale prices are returned, which may result in the liquidation of some accounts and profits for others. The Zaros team appears to not be giving adequate attention to the sequencer component, as its implementation came only after an audit by the Cyfrin team. Given that Zaros is a DEX platform, it is imperative to handle these sensitive components carefully and ensure transactions are reverted if the sequencerUptimeFeed address is not present.

While if we check PerpMarket:getIndexPrice, when the sequencerUptimeFeed is fetched from the globalConfiguration there is no address(0) check while priceAdapter having a address(0) check

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/leaves/PerpMarket.sol#L72-L86

Impact

1. if the sequencerUptimeFeed is absent, the system may utilize outdated price data. This stale price can misrepresent the current market value, leading to incorrect transaction processing.

2. Malicious actors might exploit the absence of the sequencerUptimeFeed to their advantage.

3. If the price data is stale and shows a lower value than the actual market price, users' positions may be liquidated unjustly, causing financial losses.

Tools Used

Manual

Recommendations

If no sequencer address then revert the transaction.