Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Division by Zero Vulnerability in getAutoDeleverageFactor Leading to Market Paralysis

cheatc0d33

Description

The CreditDelegationBranch contract uses an auto-deleverage factor calculation to manage market risk through a polynomial regression curve. A critical vulnerability has been identified in the getAutoDeleverageFactor function where equal auto-deleverage start and end thresholds trigger a division by zero, leading to system-wide paralysis.

The issue occurs in the core ADL calculation:

UD60x18 unscaledDeleverageFactor = Math.min(marketDebtRatio, autoDeleverageEndThresholdX18)

.sub(autoDeleverageStartThresholdX18)

.div(autoDeleverageEndThresholdX18.sub(autoDeleverageStartThresholdX18));

When autoDeleverageEndThresholdX18 equals autoDeleverageStartThresholdX18, the division operation triggers a revert, propagating failures throughout the system's risk management infrastructure.

Impact

The Auto-Deleverage System forms the core risk management infrastructure, controlling USD token minting, profit calculations, and position management. When the division by zero occurs, it triggers a cascade of failures across these interconnected components. Market participants find themselves unable to execute token operations, calculate profits, or adjust positions. The risk management system becomes paralyzed precisely when market stress requires its intervention.

This paralysis extends beyond immediate transaction failures. Token withdrawals become blocked, preventing users from accessing their funds. Position adjustments freeze, leaving traders exposed to market movements. Most critically, the system's self-healing mechanisms become inoperable, preventing recovery from the stressed state.

Fix

The solution requires a multi-layered defense approach. At the configuration level:

function configure(

uint128 marketId,

uint128 autoDeleverageStartThreshold,

uint128 autoDeleverageEndThreshold,

uint128 autoDeleverageExponentZ

) internal {

if (autoDeleverageEndThreshold <= autoDeleverageStartThreshold) {

revert Errors.InvalidADLThresholds();

}

// ... rest of configuration

}

With runtime safety checks:

function getAutoDeleverageFactor(/*...*/) internal view returns (UD60x18) {

if (autoDeleverageEndThresholdX18.eq(autoDeleverageStartThresholdX18)) {

return UD60x18_UNIT; // or other appropriate fallback

}

// ... rest of calculation

}

And emergency fallback protection:

function getAutoDeleverageFactorSafe(/*...*/) internal view returns (UD60x18) {

try market.getAutoDeleverageFactor(/*...*/) returns (UD60x18 factor) {

return factor;

} catch {

return UD60x18_UNIT;

}

These layered protections ensure system stability while maintaining risk management functionality during market stress periods. The severity is critical as the vulnerability can completely disable core market operations.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.