Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

No way to pay for the Chainlink Automation fee

SBSecurity

Summary

SettlementBranch has no way to receive ETH and will not be able to pay the Chainlink Automation Fee of $0.35 - https://docs.chain.link/data-streams/billing.

Vulnerability Details

Observing the SettlementBranch contract we can see that it has no way to receive the native asset, which is the payment type that the Zaros team decided to pay with for verifying the oracle prices.

ChainlinkUtil.sol

function getEthVericationFee(
IVerifierProxy chainlinkVerifier,
bytes memory reportData
)
internal
returns (FeeAsset memory fee)
{
IFeeManager chainlinkFeeManager = chainlinkVerifier.s_feeManager();
address feeTokenAddress = chainlinkFeeManager.i_nativeAddress();
(fee,,) = chainlinkFeeManager.getFeeAndReward(address(this), reportData, feeTokenAddress);
}

Although code is located in ChainlinkUtil and SettlementConfiguration files, they are libraries which are part of the SettlementBranch, and none of these files have the ability to receive native asset which will to be used to pay the Chainlink fee.

Impact

Prices will not be able to be verified in SettlementBranch::fillMarketOrder and SettlementBranch::fillOffchainOrders and transactions will be reverting preventing orders from being executed.

(ctx.bidX18, ctx.askX18) = settlementConfiguration.verifyOffchainPrice(priceData, globalConfiguration.maxVerificationDelay);

Tools Used

Manual Review

Recommendations

Add receive function to be able to send native asset to pay for the Chainlink fee.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

No means for the PerpEngine to receive native to pay the Chainlink Verifier in case Chainlinks charges fees to the protocol

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.