Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Missing Access Control in Market Configuration Parameters

elit3pwner

Summary: Unauthorized modification of market parameters due to missing access controls in MarketMakingEngineConfigurationBranch.sol.

Vulnerability Details:
The configureMarketParameters function in MarketMakingEngineConfigurationBranch.sol lacks access control modifiers, allowing any address to alter critical market configurations (e.g., fees, collateral ratios). Attackers could exploit this to destabilize markets by setting extreme values, enabling undercollateralized positions, or disabling markets entirely.

Code Reference:

// MarketMakingEngineConfigurationBranch.sol (lines X-Y)
function configureMarketParameters(uint256 marketId, MarketParams memory params) public {
marketConfigs[marketId] = params;
}

The function does not restrict calls to authorized roles, making it publicly accessible.

Attack Scenario:
An attacker calls configureMarketParameters to reduce the collateral ratio to 1%. Traders open large positions with minimal collateral. During market volatility, these positions cannot be liquidated efficiently, resulting in systemic undercollateralization and protocol insolvency.

Impact: Critical – Direct compromise of protocol integrity and user funds.

Recommendations:

  1. Add an onlyAuthorized modifier (e.g., onlyGovernance or onlyAdmin) to restrict access.

  2. Implement a timelock mechanism for parameter changes to allow community veto.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.