Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Boundary Checks in configure Function

mrudenko

Summary
The configure function in the Market.sol ) contract lacks minimum and maximum boundary checks for the autoDeleverageStartThreshold, autoDeleverageEndThreshold, and autoDeleverageExponentZ parameters. This can lead to improper configuration, especially in volatile markets, potentially causing excessive collateral liquidation.

Vulnerability Details

The issue is located in the following code snippet:

function configure(
uint128 marketId,
uint128 autoDeleverageStartThreshold,
uint128 autoDeleverageEndThreshold,
uint128 autoDeleverageExponentZ
)
internal
{
Data storage self = load(marketId);
self.id = marketId;
self.autoDeleverageStartThreshold = autoDeleverageStartThreshold; //@audit not MIN MAX boundary values
self.autoDeleverageEndThreshold = autoDeleverageEndThreshold;
self.autoDeleverageExponentZ = autoDeleverageExponentZ;
}

The function sets the auto-deleverage thresholds and exponent without checking if they fall within acceptable ranges. This can lead to improper configuration, especially in volatile markets, potentially causing excessive collateral liquidation.

Impact

The impact of this issue is that improper configuration of the auto-deleverage parameters can lead to excessive collateral liquidation, making it difficult to manage positions in volatile markets. This can result in significant losses for users and destabilize the market.

Tools Used

Manual code review

Recommendations
To mitigate this issue, it is recommended to add minimum and maximum boundary checks for the autoDeleverageStartThreshold, autoDeleverageEndThreshold, and autoDeleverageExponentZ parameters. This can be achieved by implementing the following changes:

  1. Define minimum and maximum values for the parameters.

  2. Add require statements to enforce the boundary checks.

function configure(
uint128 marketId,
uint128 autoDeleverageStartThreshold,
uint128 autoDeleverageEndThreshold,
uint128 autoDeleverageExponentZ
)
internal
{
Data storage self = load(marketId);
// Define minimum and maximum values
uint128 minThreshold = 1; // Example minimum value
uint128 maxThreshold = 100; // Example maximum value
uint128 minExponent = 1; // Example minimum value
uint128 maxExponent = 10; // Example maximum value
// Add boundary checks
require(autoDeleverageStartThreshold >= minThreshold && autoDeleverageStartThreshold <= maxThreshold, "Start threshold out of bounds");
require(autoDeleverageEndThreshold >= minThreshold && autoDeleverageEndThreshold <= maxThreshold, "End threshold out of bounds");
require(autoDeleverageExponentZ >= minExponent && autoDeleverageExponentZ <= maxExponent, "Exponent out of bounds");
self.id = marketId;
self.autoDeleverageStartThreshold = autoDeleverageStartThreshold;
self.autoDeleverageEndThreshold = autoDeleverageEndThreshold;
self.autoDeleverageExponentZ = autoDeleverageExponentZ;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.