Assessment reportsPublic findings
Back to Zellic site
Assessment reports>GTE -- Perp>High findings>Time-weighted average price is manipulatable
GeneralOverview
Findings
Critical (1)
High (4)The isLong flag for a position is not reset to false during liquidation, preventing users from opening long positionsThe _gtlHook is not triggered when a GTL limit order is fully filled, resulting in inflated GTL totalAssetsTime-weighted average price is manipulatableA malicious actor could block a market if minLimitOrderAmountInBase is set too low
Medium (4)
Low (3)
Informational (6)
DiscussionLimited test suiteThe setIndexPrice() update frequency
Threat ModelWhat are threat models?CollateralManager.solGTL.solPerpCLOB.solPerpManager.solPosition.sol
Audit ResultsAssessment Results
Category: Business Logic

Time-weighted average price is manipulatable

High Severity
Medium Impact
Low Likelihood

Description

The PriceHistoryLib library's snapshot function records the last traded price. If a price snapshot for a given timestamp already exists, the function overwrites it with the new price. The twap function subsequently uses this price history to calculate the time-weighted average price (TWAP) mark price. This TWAP mark price influences the funding rate post settlement.

function snapshot(PriceHistory storage history, uint256 price, uint256 timestamp) internal {
    uint256 length = history.snapshots.length;

    if (length > 0 && history.snapshots[length - 1].timestamp == timestamp) {
        history.snapshots[length - 1].price = price;
    } else {
        history.snapshots.push(PriceSnapshot(price, timestamp));
    }
}

This design presents two vulnerabilities:

  1. The snapshot function does not differentiate between bid and ask prices when recording trades. This allows an attacker to systematically execute trades on only one side of the order book (e.g., exclusively bids or asks), potentially skewing the resultant TWAP.

  2. The function records price snapshots without considering associated trade volumes. This enables an attacker to exert undue influence on the TWAP by executing numerous trades at the minimum permissible volume, thereby giving these small-volume trades disproportionate weight.

Impact

An attacker can exploit these vulnerabilities by repeatedly executing trades at the prevailing best ask (or best bid) price using minimal volume. Such activity introduces a high number of biased price points into the price history, leading to an artificially inflated or deflated TWAP mark price. Manipulation of the TWAP price directly affects the calculated funding rate, creating an opportunity for the attacker to profit from this distortion.

Recommendations

We recommend separating the price history into distinct bid and ask histories. The mark TWAP should then be calculated as the average of the bid TWAP and the ask TWAP. Additionally, trade volume should be considered when calculating the TWAP.

Remediation

Zellic © 2025Back to top ↑