Full Report
Perpetuals are a type of trading that is speculating on the price of an asset after some amount of time in the future. The price can either be bet on going up or down. The vulnerability is in the calculation process of the indexing of the pricing. Typically, the index price refers to the average price of the underlying asset. The mark price is the current price offered by the exchange on the future being traded. Within the Perpetual Protocol, these are different though. Index price is the current value of the spot asset, which uses a TWAP. The Mark Price is the most recently traded price value. In future exchanges, the size of the position is limited by the user's initial margin (debt placed in). Otherwise, the user would have bad debt, leading to insolvency in the protocol. So, any vulnerability that can achieve loads of bad debt is bad. Perpetual protocol did not control this with the method above. Instead, they calculated the value of all positions and allowed orders based upon their index price. Since the index price is somewhat manipulable, this becomes a problem! Raising the price, shorting, then dropping the price could lead to large losses in the protocol. How feasible is it to manipulate a pool? They looked at many of the pools and determined that the vMATIC-vUSD was likely the most manipulatable. The process for hitting this issue is fairly complicated with four accounts. Here's how it goes. First, account 0 in creates a massive sell of spot tokens to drive the mark price to fall to 0.8A. The maximum allowed price change is 20%, due to some existing defense in depth measures. Second, account 1 opens up a short position at 1.2A, again, at the maximum amount being 20% manipulation. At this point, account 2 places a long position on the price at 0.8A to a maximum 1.2A through a massive purchase of the spot token. On this step, very large unrealized profit is generated for account 2. Account 3 opens a long taker at the price of 1.2A as a counterparty for account 1, executing the malicious short taker order at this price. Account 2 closes its long position to realize its profits. To me, the key is that since the price is manipulable. This results in a positive gain from both the long and the short. Doing this over and over again (once per minute) could have stolen most of the money from the protocol. On Immunefi, the mediation process went south. The reasoning from Perpetual Protocol didn't make any sense and they offered 5K for a medium instead of 250K for a critical. Eventually, after months of work, they moved this to a critical with a 10K bounty. It seems like specific market conditions had to be meant for this to work but I don't fully understand them.
Analysis Summary
# Vulnerability: Price Manipulation via Index Price Inconsistency in Perpetual Protocol
## CVE Details
- **CVE ID**: N/A (DeFi vulnerability reported via Immunefi)
- **CVSS Score**: 9.0 - 10.0 (Critical - based on potential for protocol insolvency)
- **CWE**: CWE-682: Incorrect Calculation; CWE-345: Insufficient Verification of Data Authenticity (Oracle/Price Manipulation)
## Affected Systems
- **Products**: Perpetual Protocol (v2)
- **Versions**: Production instances prior to the fix (circa 2022)
- **Configurations**: Virtual Automated Market Maker (vAMM) pools with lower liquidity/higher slippage capacity, specifically identified in the vMATIC-vUSD pool.
## Vulnerability Description
The vulnerability stems from a design flaw in how Perpetual Protocol validated account margin and permitted trades. Unlike traditional perpetual exchanges that limit position sizes based on the **Mark Price** (the current exchange price), this protocol used the **Index Price** (the external spot price, often calculated via TWAP) to determine the value of positions and available margin.
Because the Index Price relies on external spot data which can be influenced by large trades, and the Mark Price can be manipulated within the vAMM, a discrepancy can be engineered. If an attacker can force the Mark Price to move significantly faster than the Index Price, they can open positions at "artificial" prices that the protocol's margin engine views as safe (based on the lagging or manipulatable Index Price), leading to the accumulation of massive "bad debt" and protocol insolvency.
## Exploitation
- **Status**: PoC available (demonstrated during Immunefi bounty process). No confirmed exploitation in the wild.
- **Complexity**: High (Requires coordinated action across four accounts and significant capital).
- **Attack Vector**: Network (Interacting with smart contracts).
### Exploitation Scenario:
1. **Drive Price Down**: Account 0 sells spot tokens to push the Mark Price to the downward limit (e.g., 0.8A).
2. **Open Strategic Short**: Account 1 opens a short position at the upper price limit (1.2A).
3. **Drive Price Up**: Account 2 purchases spot tokens, pushing the Mark Price from 0.8A to 1.2A, generating massive unrealized profit on a long position.
4. **Execute Counterparty Trade**: Account 3 opens a long position at 1.2A to act as the counterparty for Account 1’s short.
5. **Realize Profit**: Account 2 closes the long position to extract the value.
6. **Repeat**: By cycling these trades, attackers extract value while leaving the protocol with uncollateralized bad debt.
## Impact
- **Confidentiality**: None
- **Integrity**: Critical (Manipulation of financial state and balances)
- **Availability**: High (Potential protocol insolvency/shutdown)
## Remediation
### Patches
- The protocol team adjusted the margin validation logic to ensure that position sizing and liquidations account for the discrepancy between Mark and Index prices more strictly.
- Enhanced "Defense in Depth" measures regarding maximum allowable price fluctuations per block/minute.
### Workarounds
- Implementation of stricter slippage limits.
- Temporary pausing of highly volatile or low-liquidity vAMM pools.
## Detection
- **Indicators of Compromise**: Rapid, rhythmic fluctuations in Mark Price that maximize the allowed 20% volatility buffer; accounts opening and closing large positions within highly correlated timeframes (1-minute intervals).
- **Detection Methods**: Monitoring for "Bad Debt" accumulation in specific vAMM vaults; tracking TWAP vs. Mark Price divergence.
## References
- Perpetual Protocol: hxxps[://]perc[.]fi/
- Immunefi Bug Bounty Portal: hxxps[://]immunefi[.]com/
- Vulnerability Research Context: Just a moment... (Note: Link is to the original source provided in context)