Zaros Part 1

Summary

To fill the offchain orders for a market, the keeper passes an array of them to the _fillOffchainOrders function, this function performs certain checks to validate if each individual order's data is correct and reverts the entire tx if any of the order's data is incorrect

Vulnerability Details

Code links

• the function https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/SettlementBranch.sol#L186-L316

• size 0 check: https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/SettlementBranch.sol#L218-L220

• marketId check: https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/SettlementBranch.sol#L227-L229

• Nonce check: https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/SettlementBranch.sol#L236-L238

• Hash check: https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/branches/SettlementBranch.sol#L256-L258

A malicious user can create and sign an offchain order with incorrect input in any of the above fields in their order and cause DOS for other orders which are passed along with this order in the array because these checks revert the entire tx.

Impact

Impact of this is as follows:

• Even if one of the order's data is incorrect(i.e size == 0 or marketId is incorrect etc), then the whole tx reverts causing DOS for other valid orders

• The keeper's gas is wasted. Lot of gas would be wasted if the invalid order is the last one in the array. If all of keeper's gas gets over it may not be able to process further orders

Tools Used

Manual Review

Recommendations

Instead of reverting, continue in the if statement to fill the next order/s