Skip to content

Latest commit

 

History

History
41 lines (29 loc) · 2.6 KB

029.md

File metadata and controls

41 lines (29 loc) · 2.6 KB
Raw

Dizzy Rusty Osprey

High

Market coordinator can liquidate all users in the market

Summary The README states the following:

Q: Please list any known issues and explicitly state the acceptable risks for each known issue. Coordinators are given broad control over the parameters of the markets they coordinate. The protocol parameter is designed to prevent situations where parameters are set to malicious steal funds. If the coordinator can operate within the bounds of reasonable protocol parameters to negatively affect markets we would like to know about it

Market coordinator can change margin and maintenance ratios and min USD amounts, and these do not have any upside limitation. This means that malicious coordinator can set these values to extremely high amounts (like 1000%), which will make all users positions unhealthy, allowing malicious coordinator to liquidate all users, negatively affecting all market users.

Since the coordinator also controls the fees, the full attack can consist of setting high margin and maintenance amounts, max fees, then liqudating all makers, opening small maker position and liquidating all takers, receiving max fee percentage off all users notional.

Root Cause It's probably not possible to avoid some users becoming liquidatable when the margin ratio is increased, even by well-intended coordinator. Still, there are neither timelock to let users know of the changes in advance, nor any sanity upside limit for the margin, the only limit is downside (so that it can't be set to 0): https://github.com/sherlock-audit/2024-08-perennial-v2-update-3/blob/main/perennial-v2/packages/perennial/contracts/types/RiskParameter.sol#L147-L157

Internal pre-conditions Malicious market coordinator.

External pre-conditions None.

Attack Path

  1. Coordinator sets max margin and maintenance ratios, max allowed liquidation fee and all the other fees
  2. Coordinator liquidates all makers
  3. Coordinator opens small maker position
  4. Coordinator liquidates all takers, which earns small liquidation fees + all position closure fees (which are percentage-based, e.g. 1%) are accumulated to coordinator's maker, which is the only maker in the market
  5. Coordinator closes maker position and withdraws all collateral

Impact At least 1% or more is stolen from all market users, along with all market positions being liquidated.

PoC Not needed.

Mitigation

  1. Force coordinator time lock, so that all users know well in advance of incoming market parameters changes
  2. Optionally add some sanity upside limit to margin, maintenance, minMargin and minMaintenance (set via protocolParameters).