Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Inadequate Validation in Market Configuration Parameters

jakefromstatefarm

Summary

The configureMarket function lacks comprehensive validation of related parameters, allowing for inconsistent configurations that can lead to unintended behavior in the market's auto-deleveraging mechanism.

Vulnerability Details

The configureMarket function is responsible for setting up market parameters, including thresholds for auto-deleveraging. While it ensures that none of the input values are zero, it does not verify the logical relationship between autoDeleverageStartThreshold, autoDeleverageEndThreshold, and autoDeleverageExponentZ. This omission allows the owner to set inconsistent thresholds, such as having the start threshold lower than the end threshold, which can lead to improper liquidations or locking of positions. Such misconfigurations could destabilize market operations, breaking the security guarantee of reliable and predictable market behavior.

Impact

Medium as it can lead to improper liquidations and market instability. Misconfigured thresholds can cause the auto-deleveraging mechanism to function incorrectly, resulting in financial loss and operational disruptions.

And the likelihood is Medium/Low, while the function is restricted to the contract owner, human error or lack of awareness can lead to misconfigurations. The absence of logical checks increases the risk of such errors occurring.

Tools Used

An owner could inadvertently configure the market with a start threshold higher than the end threshold, leading to a non-functional auto-deleveraging mechanism. This misconfiguration can be demonstrated by calling the configureMarket function with inconsistent parameters:

// Sample misconfig

configureMarket(

engineAddress,

marketId,

1000, // autoDeleverageStartThreshold

500, // autoDeleverageEndThreshold (incorrectly lower than start)

2 // autoDeleverageExponentZ

);

Recommendations

Add logical checks to ensure autoDeleverageStartThreshold is less than autoDeleverageEndThreshold and validate the relationship with autoDeleverageExponentZ to prevent misconfigurations.

function configureMarket(

address engine,

uint128 marketId,

uint128 autoDeleverageStartThreshold,

uint128 autoDeleverageEndThreshold,

uint128 autoDeleverageExponentZ

)

external

onlyOwner

{

require(engine != address(0), "Engine address cannot be zero");

require(marketId != 0, "Market ID cannot be zero");

require(autoDeleverageStartThreshold != 0, "Start threshold cannot be zero");

require(autoDeleverageEndThreshold != 0, "End threshold cannot be zero");

require(autoDeleverageExponentZ != 0, "Exponent cannot be zero");

// Add logical checks

require(autoDeleverageStartThreshold < autoDeleverageEndThreshold, "Start threshold must be less than end threshold");

// Additional checks for autoDeleverageExponentZ can be added here

// Current logic...

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.