Closed sherlock-admin closed 1 year ago
2 comment(s) were left on this issue during the judging contest.
141345 commented:
o
panprog commented:
invalid because scenario is not possible: user can't realize loss and profit in the same transaction: he's settled only once for each timestamp
feelereth
high
the collateral checkpointing logic is vulnerable to miner/validator manipulation
Summary
The collateral checkpointing logic in _checkpointCollateral() retroactively updates the collateral on the latest position based on fees/rewards incurred after that position snapshot.
Vulnerability Detail
The key issue is that _checkpointCollateral() retroactively modifies already committed state (the collateral level on the latest position). This allows a miner/validator to manipulate the state transition as follows:
Impact
This exploits the fact that miners/validators control transaction ordering and can manipulate state changes across transactions
Code Snippet
https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial/contracts/Market.sol#L371-L384
Tool used
Manual Review
Recommendation
• Remove the collateral adjustment logic completely • Only subtract fees/rewards up to the current block timestamp, not future pending positions