Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Some positions can be liquidated immediately after settlement

Oblivionis

Summary

Now the maintaince margin check in _fillOrder is too early and not sufficient, certain positions may be able to be liquidated instantly after settlement.

Vulnerability Details

For users who wish to change their existing positions, the following is the logic executed by _fillOrder: (We omit some security checks for now)

fetch global config, perp market's config, account config, etc from storage
get funding rates for this perp market (using fillprice)
update funding rates
calculate order & settlement fees (using fillprice)
calculate required initial & maintenance margin for this trade and account's unrealized PNL (using IndexPrice)
Ensure that the user has sufficient margin (based on calculations in step 5)
cache unrealized PNL from potential existing position in this market including accrued funding (using fillprice)
update all config storage
If unrealized PnL > 0, mint new usdTokens for trader's margin account
Deduct collateral ( If unrealized PnL < 0 ) and order/settlement fees from trader's margin account

Now lets dive into step 5 to figure out what happeds here:

2024-07-zaros/src/perpetuals/leaves/TradingAccount.sol at main · Cyfrin/2024-07-zaros · GitHub

// calculate price impact of the change in position

UD60x18 markPrice = perpMarket.getMarkPrice(sizeDeltaX18, perpMarket.getIndexPrice());

Whether for targetMarketId or another Market, the markPrice used is always based on Chainlink Feed.

There are two central points of conflict here:

The cost of this order(order/settlement fees) was not taken into account when calculating the margin in step 5, but they are later subtracted from the margin in step 10.
The price used in Step 5(to calculate markPrice) is indexPrice, while the price used in step 7(to calculate markPrice) is fillprice, which is one of ASK/BID price. There is often a spread between these three prices, which makes the actual PnL and the estimated value differ significantly

Impact

Likelihood: medium - This issue require certain position size and margin balance to exist.

Impact: high - 1. Some positions can be liquidated immediately after settlement 2. Protocol can be insolvent if the liquidation is too deep such that the accounts collateral is not enough to cover the potential losses.

= Severity: high

Tools Used

Recommendations

check if the opened position will make the account liquidatable at the end of the execute order.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

`isLiquidatable` check missing in `_fillOrder()`

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.