Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Cross-chain Replay Attacks in StabilityBranch.sol::fulfillSwap

shrxyeh

Summary

The fulfillSwap function uses off‑chain price data provided by keepers without binding this data to a specific chain. As a result, a price report verified on one chain could be replayed on another chain where the contract is deployed.

Vulnerability Details

The problematic verification workflow is as follows:

function fulfillSwap(user, requestId, priceData, engine) {
// Verifies off-chain price data without checking chain-specific identifiers.
let verifiedPrice = verifyPriceData(priceData); // No chainId or unique nonce check!
// Continues processing the swap based on the unbound price data.
processSwap(verifiedPrice, ...);
}

Impact

  • Replay Exploits: An attacker could replay verified price data from one chain to another, causing the same swap request to be executed or approved multiple times.

  • Double Spends: This replay may lead to duplicate processing, asset misallocation, or unauthorized reward distribution, undermining the protocol’s integrity.

Tools Used

  • Cross-chain security analysis

  • Static analysis (MythX, Slither)

  • Manual code and design review

Recommendations

  • Chain-specific Data: Embed chain identifiers (e.g., chain ID, network nonce) within the price data payload and enforce that the verified report comes from the intended chain.

  • Nonce Management: Use nonces or time-bound tokens to ensure that price data is one‑time use only.

  • Verification Updates: Enhance the verification logic in the Chainlink verifier proxy to include chain-specific validations.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!