Summary

A type safety vulnerability exists in the fillMarketOrder function of the SettlementBranch contract where an unsafe conversion to SD59x18 type could lead to unexpected behavior or reverts.

The fillMarketOrder function performs an unsafe type conversion when passing the sizeDelta parameter to the _fillOrder function. The issue stems from inadequate validation of the marketOrder.sizeDelta value before converting it to the SD59x18 fixed-point decimal type.

The vulnerability centers around the SD59x18 type's range constraints for fixed-point decimal numbers. The current implementation directly converts marketOrder.sizeDelta to SD59x18 without proper bounds checking. This creates a scenario where values outside the SD59x18 valid range could either cause transaction reverts or, more concerning, lead to silent failures that propagate incorrect values through position size calculations and related financial computations.

Proof of Concept

When a market order contains a sizeDelta value approaching or exceeding SD59x18 bounds, the execution of fillMarketOrder becomes unpredictable. The transaction might revert during type conversion, or worse, proceed with corrupted values that affect position sizing, margin calculations, and other critical financial operations.

Comparison with Safe Implementation

The fillOffchainOrders function in the same contract demonstrates a safer pattern:

Recommended Fix

The solution involves implementing a robust type conversion strategy. Initially, the code should validate that marketOrder.sizeDelta falls within acceptable SD59x18 bounds. This validation should be followed by a SafeCast implementation to ensure type safety during conversion. Finally, the conversion process should be wrapped in explicit error handling to capture and properly manage any conversion failures.

For instance: