The market creator is trusted so this should probably not be counted as an issue
The TracerPerpetualSwaps.setFeeRate function does not limit the feeRate in any way and it can be set to more than 100%.
Impact
A market creator that used the official TracerPerpetualsFactory.deployTracer factory function to create a market can steal user funds.
Note that they were transferred ownership by the tracer.transferOwnership(tracerOwner); call.
Upon observing a matchOrders transaction, they front-run it with a setFeeRate(100%) action to steal 100% of the fees.
(The fees can even be set to more than 100% which allows stealing even more from the user's quote (collateral) as long as they still have enough margin.)
Note that this attack can happen at any time, a market creator can gain the trust of the DAO first and even have their market "approved" by the DAO, before executing the attack.
Recommended Mitigation Steps
Have a global maximum fee hardcoded into the contract that cannot be changed. Validate if the fee is below that value.
Handle
cmichel
Vulnerability details
The
TracerPerpetualSwaps.setFeeRate
function does not limit thefeeRate
in any way and it can be set to more than 100%.Impact
A market creator that used the official
TracerPerpetualsFactory.deployTracer
factory function to create a market can steal user funds. Note that they were transferred ownership by thetracer.transferOwnership(tracerOwner);
call.Upon observing a
matchOrders
transaction, they front-run it with asetFeeRate(100%)
action to steal 100% of the fees. (The fees can even be set to more than 100% which allows stealing even more from the user's quote (collateral) as long as they still have enough margin.)Note that this attack can happen at any time, a market creator can gain the trust of the DAO first and even have their market "approved" by the DAO, before executing the attack.
Recommended Mitigation Steps
Have a global maximum fee hardcoded into the contract that cannot be changed. Validate if the fee is below that value.