Part 2

Description

A critical vulnerability has been identified in the perpetual protocol's liquidation mechanism where the lastFundingTime parameter can be manipulated through front-running attacks, potentially leading to economic exploitation.

The vulnerability centers on the funding rate update mechanism in PerpMarket.sol, which is called during liquidation events. The core of the issue lies in the atomic nature of the funding rate updates and their relationship to liquidation timing.

The updateFunding function directly sets funding parameters without any timing controls:

The attack vector emerges from the mempool visibility of liquidation transactions. Malicious liquidators can observe and front-run legitimate liquidations, forcing funding rate updates at strategic times. This manipulation affects funding calculations for all subsequent liquidations in the same block.

The funding rate calculations depend critically on the elapsed time since the last update. By controlling the update timing through front-running, attackers can manipulate the economic parameters of liquidations that follow. This vulnerability becomes especially potent during periods of high market volatility.

The impact manifests through distorted funding rate calculations leading to incorrect liquidation amounts. The manipulation creates an unfair advantage for front-running liquidators while causing financial losses for legitimate ones. Protocol stability suffers most during volatile market conditions when accurate liquidations are most crucial.

The attack requires liquidator status and basic MEV capabilities. The manipulation becomes highly profitable during market volatility, with impact scaling directly with liquidation size. The current implementation lacks timing controls or rate-limiting mechanisms that could prevent such manipulation.

The vulnerability undermines the protocol's economic security by allowing funding rate manipulation. This leads to financial losses for legitimate liquidators and creates systemic instability.

Proof of Concept

The attack executes through mempool monitoring and strategic transaction ordering. When a legitimate liquidation appears, the attacker front-runs it with a higher gas price. The forced funding rate update at the attacker's chosen time creates favorable conditions for their liquidation while disadvantaging subsequent ones.

Recommended Mitigations

Key defensive measures should include implementing minimum time intervals between funding updates and moving to a more deterministic funding rate mechanism. The protocol should consider batch processing of liquidations to reduce timing dependencies.