Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Price Manipulation Risk Due to Circular Asset Paths in Settlement Logic

cheatc0d33

Summary

The AssetSwapPath library lacks validation against circular paths, allowing duplicate assets in swap configurations. This enables price manipulation attacks affecting debt settlement and protocol collateralization.

// AssetSwapPath.sol

function configure(

Data storage self,

bool enabled,

address[] memory assets,

uint128[] memory dexSwapStrategyIds

) internal {

// Missing validation for duplicate assets

self.enabled = enabled;

self.assets = assets;

self.dexSwapStrategyIds = dexSwapStrategyIds;

}

Scenario:

// Invalid path configuration example

assets = [sUSDe, USDe, sUSDe, USDC] // sUSDe duplicated

dexSwapStrategyIds = [3, 3, 1] // Curve, Curve, UniV3

The attack exploits the circular path through a coordinated sequence of operations. Initially, the attacker manipulates the sUSDe price by executing a large trade in the first Curve pool, artificially inflating the price for the first swap leg. Path circles back to sUSDe at different price in second Curve pool. This creates arbitrage opportunity between the two sUSDe prices This manipulation creates a price discrepancy that can be exploited during settlement.

When settlement executes through CreditDelegationBranch:

ctx.usdcOut = _convertAssetsToUsdc(

vault.swapStrategy.usdcDexSwapStrategyId,

ctx.vaultAsset,

ctx.swapAmount,

vault.swapStrategy.usdcDexSwapPath,

address(this),

ctx.usdc

);

The manipulated prices propagate through the system, ultimately corrupting critical state:

vault.marketsRealizedDebtUsd -= ctx.usdcOutX18.intoUint256().toInt256().toInt128();

UsdTokenSwapConfig.load().usdcAvailableForEngine[vault.engine] += ctx.usdcOutX18.intoUint256();

Impact

At the protocol level, this manipulation fundamentally undermines the debt settlement process. Settlement amounts become unreliable as they're based on artificially manipulated prices. Engine backing calculations inherit these manipulated values, leading to inaccurate collateralization ratios throughout the system.

The financial implications extend beyond direct manipulation profits. The protocol suffers from degraded settlement accuracy and increased operational costs from unnecessary circular swaps. This creates a systemic risk of undercollateralization as settlement values diverge from true market prices.

Recommended Fix

function configure(

Data storage self,

bool enabled,

address[] memory assets,

uint128[] memory dexSwapStrategyIds

) internal {

require(

_noDuplicateAssets(assets),

"AssetSwapPath: duplicate assets not allowed"

);

self.enabled = enabled;

self.assets = assets;

self.dexSwapStrategyIds = dexSwapStrategyIds;

}

function _noDuplicateAssets(address[] memory assets) internal pure returns (bool) {

for(uint i = 0; i < assets.length; i++) {

for(uint j = i + 1; j < assets.length; j++) {

if(assets[i] == assets[j]) return false;

}

return true;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.