search

sherlock-audit / 2023-07-perennial-judging

2 stars 1 forks source link

feelereth - A malicious miner could manipulate prices to liquidate positions inappropriately #84

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

feelereth

high

A malicious miner could manipulate prices to liquidate positions inappropriately

Summary

position liquidations in the _invariant function do not check for worst case loss scenarios

Vulnerability Detail

This Link only checks the current price, not a worst case price move

The _invariant function is used to verify that certain conditions are met before allowing a position update. This includes checking that the position is sufficiently collateralized. However, it only checks the current collateralization based on the latest oracle price. It does not consider the worst case loss if the price were to move against the position. A malicious miner could exploit this by:

  1. Waiting for a victim to take a large, undercollateralized position.
  2. In the same block, manipulate the oracle price to an extreme value that would cause the position to become hugely underwater.
  3. Call update to liquidate the victim's position at the manipulated price.

Impact

A malicious miner could manipulate prices to liquidate positions inappropriately

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial/contracts/Market.sol#L510-L512

Tool used

Manual Review

Recommendation

the contract could consider the largest possible loss if the price moved to the limit boundary.

sherlock-admin commented 1 year ago

3 comment(s) were left on this issue during the judging contest.

141345 commented:

d

darkart commented:

Write a POC and escalate

panprog commented:

invalid because it's not in the protocol specs to account for worst case price