Zaros Part 1

Summary

The depositMargin and withdrawMargin functions in the TradingAccountBranch contract are vulnerable to issues arising from handling rebasing tokens like stETH. If the stETH balance changes due to a rebase event between the time of deposit/withdrawal initiation and balance adjustment, it can lead to discrepancies in user balances and margin calculations.

Vulnerability Details

DepositMargin:

Issue: stETH balance may decrease post-deposit but pre-balance adjustment.
Impact: Incorrect margin collateral balance, affecting margin calculations and trading activities.

WithdrawMargin:

Issue: stETH balance may change post-withdrawal initiation but pre-balance adjustment.
Impact: Discrepancies in withdrawal amounts, impacting protocol reserves and user balances.

Create Market Order:

Issue: stETH balance may change after order creation but before the order is filled.
Impact: Incorrect margin calculations, affecting the execution of the market order.

Keeper Fill Market Order:

Issue: stETH balance may change after the order is created but before the keeper fills the order.
Impact: Margin calculations may not reflect the updated stETH balance, leading to potential discrepancies in order execution.

Impact

Incorrect Margin Calculations: Users' margin collateral balances may not reflect the actual stETH balance post-rebase, leading to inaccurate margin calculations.

Discrepant Withdrawals: Users may receive more or less than intended during withdrawals, affecting both user balances and protocol reserves.

Trading Activities: Incorrect margin balances can impact users' ability to trade and maintain positions, potentially leading to unintended liquidations.

Tools Used

Manual Review

Recommendations

Modify depositMargin and withdrawMargin functions to account for potential rebase events.
Adjust deposited and withdrawn amounts based on the latest stETH balance.