Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Report for StabilityBranch.sol contract - Medium severity

0xjonaseb11

Summary

external/
└── market-making/
└── branches/
└── StabilityBranch.sol

Three medium-severity issues were found, concerning front-running risks, gas inefficiencies, and external dependency risks. These may not cause immediate fund loss but could lead to financial manipulation, high gas costs, or system instability.

Vulnerability Details

1. Front-Running in `initiateSwap`

Description: The initiateSwap function is susceptible to front-running attacks, where malicious actors can observe pending transactions and manipulate prices before they are executed.
Code Affected: initiateSwap.

ctx.vaultAssetBalance = IERC20(ctx.initialVaultCollateralAsset).balanceOf(ctx.initialVaultIndexToken);

for (uint256 i; i < amountsIn.length; i++) {

// for all but first iteration, refresh the vault and enforce same collateral asset

if (i != 0) {

currentVault = Vault.load(vaultIds[i]);

// revert for swaps using vaults with different collateral assets

if (currentVault.collateral.asset != ctx.initialVaultCollateralAsset) {

revert Errors.VaultsCollateralAssetsMismatch();

}

// refresh current vault balance in native precision of ctx.initialVaultCollateralAsset

ctx.vaultAssetBalance = IERC20(ctx.initialVaultCollateralAsset).balanceOf(currentVault.indexToken);

}

2. Gas Limit Issues

Description: Functions such as initiateSwap and fulfillSwap perform multiple state updates and external calls, which could lead to transactions running out of gas.
Code Affected: initiateSwap, fulfillSwap.

3. Dependency Risks

Description: The contract depends on external libraries (Vault, Collateral, UsdTokenSwapConfig). If these dependencies are compromised or updated incorrectly, the contract’s security could be impacted.
Code Affected: All external library imports.

Impact

Potential front-running exploits leading to manipulated swaps.
Gas inefficiencies causing transaction failures.
Risk of external contract vulnerabilities affecting functionality.

Tools Used

Manual Review: Assessed gas consumption patterns.
Slither: Identified front-running opportunities.

Recommendations

Implement commit-reveal schemes or minimum execution delays to mitigate front-running.
Optimize gas usage by batching state changes and caching storage variables.
Regularly audit external dependencies and verify their integrity.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.