search

code-423n4 / 2021-06-tracer-findings

1 stars 0 forks source link

Market creator can steal user funds by setting fess >= 100% #103

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

cmichel

Vulnerability details

The market creator is trusted so this should probably not be counted as an issue

The TracerPerpetualSwaps.setFeeRate function does not limit the feeRate in any way and it can be set to more than 100%.

Impact

A market creator that used the official TracerPerpetualsFactory.deployTracer factory function to create a market can steal user funds. Note that they were transferred ownership by the tracer.transferOwnership(tracerOwner); call.

Upon observing a matchOrders transaction, they front-run it with a setFeeRate(100%) action to steal 100% of the fees. (The fees can even be set to more than 100% which allows stealing even more from the user's quote (collateral) as long as they still have enough margin.)

Note that this attack can happen at any time, a market creator can gain the trust of the DAO first and even have their market "approved" by the DAO, before executing the attack.

Recommended Mitigation Steps

Have a global maximum fee hardcoded into the contract that cannot be changed. Validate if the fee is below that value.

raymogg commented 3 years ago

Duplicate of #102

loudoguno commented 3 years ago

changed severity from 0 to 1 as per judges sheet