Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Unregistered Engine Exploit in Vault Creation

prashikshit

Summary

The Vault.create() function allows the creation of vaults with unregistered engine addresses. This enables attackers to deploy vaults linked to malicious or untrusted engines, bypassing protocol safeguards and potentially leading to fund theft or system manipulation.

Vulnerability Details

Location

Vault.sol – create() function

Technical Analysis

Root Cause:
The create() function initializes a vault’s engine parameter directly from user input (params.engine) without validating whether the engine is registered in the protocol’s MarketMakingEngineConfiguration.

// Vulnerable code in Vault.sol
function create(CreateParams memory params) internal {
Data storage self = load(params.vaultId);
// ...
self.engine = params.engine; // No validation of engine registration
}
Expected Behavior:
The protocol should only allow vaults to be created with engines that have been explicitly registered via MarketMakingEngineConfiguration. This ensures all engines comply with protocol rules and security audits.
Actual Behavior:
Attackers can specify arbitrary engine addresses (including malicious ones), allowing them to bypass protocol controls.

Impact

Critical Severity
- Fund Theft: Malicious engines can create fake markets, manipulate debt calculations, or siphon vault collateral.
- System Instability: Unaudited engines may violate protocol invariants, leading to incorrect debt distributions or vault insolvency.
- Governance Bypass: Attackers can deploy vaults that ignore fee structures, collateral rules, or other protocol-level constraints.

Proof of Concept (PoC)

Attack Scenario

Deploy Malicious Engine:
An attacker deploys a malicious engine contract that overrides critical functions (e.g., debt distribution, fee collection).
Create Vault with Malicious Engine:

Vault.CreateParams memory params = Vault.CreateParams({
vaultId: 123,
engine: address(maliciousEngine), // Unregistered engine
// ... other parameters
});
Vault.create(params); // Executes without validation
Connect to Fake Market:
The malicious engine connects the vault to a fake market, allowing the attacker to:
- Mint unlimited synthetic assets.
- Drain collateral via manipulated debt settlements.
Exploit Execution:
The attacker triggers a debt settlement or withdrawal, causing the vault to transfer funds to the malicious engine’s controlled addresses.

Recommendations

Immediate Fix

Add a registration check in the create() function:

function create(CreateParams memory params) internal {

Data storage self = load(params.vaultId);

// Add engine validation

require(

MarketMakingEngineConfiguration.load().isRegisteredEngine(params.engine),

"Engine not registered"

);

// ... rest of the code

}

Additional Mitigations

Registry Event Tracking:
Emit an event when engines are registered to improve transparency:
event EngineRegistered(address indexed engine);

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.