bin2chen - Maliciously specifying a very large intent.price will result in a large gain at settlement, stealing funds #42
Labels
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
bin2chen
High
Maliciously specifying a very large intent.price will result in a large gain at settlement, stealing funds
Summary
When Market.sol generates an order, if you specify a very large intent.price, you don't need additional collateral to guarantee it, and the order is submitted normally.
But the settlement will generate a large revenue pnl, the user can maliciously construct a very large intent.price, steal revenue
Root Cause
in CheckpointLib.sol#L79
when the order is settled override pnl is calculated
pnl = (toVersion.price - Intent.price) * taker()
This value is counted towards the collateral
local.collateral
However, when adding a new order, there is no limit on
Intent.price
, and the user only needs small collateral that is larger than what is required bytaker() * lastVersion.price
In this way, a malicious user can specify a very large
Intent.price
, and both parties need only a small amount of collateral to generate a successful orderBut at settlement, the profitable party gets the enlarged pnl and converts it to collateral, which the user can then steal.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
Example:
lastVerson.price = 123
Intent.price = 1250000000000 (Far more than the normal price)
Intent.postion = 5
Intent.postion * lastVerson.price
)Intent.postion * lastVerson.price
)Note:Alice_fake_user will be a huge loss, but that's ok, relative to profit, giving up very small collateral
10,000
.Impact
Maliciously specifying a very large intent.price will result in a large gain at settlement, stealing funds
PoC
The following example demonstrates that specifying a very large
intent.price
with a very small collateralgenerating a very large return to collateral
add to
/perennial-v2/packages/perennial/test/unit/market/Market.test.ts
Mitigation
intent.price - lastVersion.price
needs to be within a reasonable range and the difference must not be too large. And the difference needs to be secured by collateral.The text was updated successfully, but these errors were encountered: