A market's hourly average price can be biased by a large number of trades

[code423n4]

Handle

shw

Vulnerability details

Impact

An attacker can artificially move a market's hourly average price (i.e., the result of getHourlyAvgTracerPrice) by executing a large number of trades on the market with only paying gas fees.

Proof of Concept

The hourly average price is calculated by the cumulativePrice divided by the number of trades in the given hour (i.e., the average of all trade prices). Therefore, an attacker can bias this average price by executing a large number of trades (i.e., calling executeTrade on Trader with many matched orders), and all of them have an extremely high (or low) trade price, as long as the maker and taker's positions are valid after the trade.

The attacker only pays the gas fees without losing the assets since the makers and takers are all his accounts. Besides, the attacker can avoid paying the trade fees if the fillAmount of trade is 0.

Referenced code:
Trader.sol#L121-L126
TracerPerpetualSwaps.sol#L280
Pricing.sol#L100
Pricing.sol#L126-L129
Pricing.sol#L254-L256
LibPrices.sol#L41-L49

Recommended Mitigation Steps

This attack is generally difficult to prevent since anyone can execute trades and match orders generated by him. A possible mitigation is to modify the hourly average price formula: increase the cumulativePrice by the trade price multiply the fill amount of each trade. As a result, the attacker has to increase the trade volume to move the average price effectively, and thus the charged trade fees are increased for launching such attacks.

[raymogg]

Duplicate of issue #119. Worded slightly differently but it comes down to the fact that

• volume isn't taken into account when computing average price
• arbitrary execution of orders is possible through the trader