Submission Details
Severity:
[H-2] Front-Runnable Liquidations via Stale Oracles at PerpsEngine
Summary
The LiquidationBranch liquidates accounts based on stale oracle prices, allowing keepers to profit via front-running.
Vulnerability Details
Affected Code:
// LiquidationBranch.sol (hypothetical)
function liquidateAccount(address account) public {
uint256 price = oracle.getPrice(); // No timestamp check
if (isUnderCollateralized(account, price)) {
seizeCollateral(account);
}
}
Exploit Scenario:
-
Keeper sees pending large trade that will drop asset price.
-
Front-runs by liquidating accounts at outdated higher price.
-
Profit from price difference post-trade.
Proof of Concept:
// Foundry test simulating price manipulation
function testLiquidationFrontrun() public {
oracle.setPrice(1000e18); // Current price
account.deposit(100e18);
// Attacker front-runs price update
vm.prank(keeper);
engine.liquidateAccount(account); // Uses $1000 price
// Price drops to $900 after trade
oracle.setPrice(900e18);
// Victim's collateral now worth less, but already liquidated unfairly
}
Impact
Unfair Liquidations: Users lose funds due to MEV.
Keeper Extractable Value (KEV): High severity (CVSS 8.9).
Tools Used
Forked mainnet testing with real oracle.
MEV bot simulation.
Recommendations
// Add price freshness and sanity checks
require(block.timestamp - oracleUpdatedAt < 30 seconds, "Stale price");
require(price > 0 && price < MAX_SANE_VALUE, "Invalid price");
Prize pool breakdown
Total prize
70,000 USDC
nSLOC
3,25821 USDC / LOC
66,500
3,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.