Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Perennial>Medium findings>Markets missing slippage protection
GeneralOverview
Findings
Critical (1)
High (1)
Medium (1)Markets missing slippage protection
Low (2)
DiscussionUnnecessary storage assignments in `MappingStorageLib` waste gasIncorrect documentation in Vault `Mapping`Market user interface may be misleadingMissing fee claim mechanismUndercollateralized positions possible
Threat ModelWhat are threat models?Market.solMarketFactory.solMultiInvoker.solOracle.solOracleFactory.solVault.solVaultFactory.sol
Audit ResultsSummary
AppendixVault inflation POC codeNegative Liquidation PoC codeMultiInvoker drain POC code
Category: Business Logic

Markets missing slippage protection

Medium Severity
Medium Impact
Medium Likelihood

Description

Since the markets have delayed settlements to mitigate arbitrage, the positions opened by users are settled at a later price. Under normal circumstances, the difference in price between when a position is opened and when it is settled should be fairly small. However, volatility in the price feed can cause unexpected fluctuations.

Preventing unexpected losses requires a slippage-protection mechanism.

Impact

Users may lose funds due to unexpected volatility given the lack of a slippage-protection mechanism.

Recommendations

Slippage protection could be implemented at the oracle-level. While making a version invalid might be difficult, one simple way to handle it would be to cancel trades if the price difference between two versions exceeds a certain threshold. Adding an additional unsafe flag that users can set would keep it usable for users who want to bypass this protection.

Remediation

Zellic © 2023Back to top ↑