A sophisticated user can pick a price from the past _validSignatureTimer
as _priceData
to open positions for profit
#495
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-108
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/utils/TradingLibrary.sol#L91-L122
Vulnerability details
Impact
initiateMarketOrder()
can be called with a signed off-chain price data from the past_validSignatureTimer
and thatprice
will be taken as the open price of the position.Because the difference of the current price to the
price
from_validSignatureTimer
ago is known to the caller, it will be possible for the user to create a long position at a price 2% lower than the current market price, or a short position at a price 2% higher than the current market price.If the
_validSignatureTimer
is long enough, combining with leverage, the attacker will be able to disrupt the market by draining all the profits from the other regular users.https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/utils/TradingLibrary.sol#L91-L122
Recommended Mitigation Steps
Signed
_priceData
should only be allowed for SL/TP and match limit orders. For those orders, only a priceData with a timestamp after the created timestamp of the order can be used.The text was updated successfully, but these errors were encountered: