Skip to content

Backrun bounder incorrectly assumes Arbitrum's block time  #178

@bsamuels453

Description

@bsamuels453

Severity: Undetermined
Difficulty: Medium

Overlay uses the underlying chain's average block time as a risk parameter in the protocol's backrun protection, as seen below:

MinCollateral, // minimum ov collateral to open position
PriceDriftUpperLimit, // upper limit for feed price changes since last update
AverageBlockTime // average block time of the respective chain

/// @dev bid price given oracle data and recent volume
function bid(Oracle.Data memory data, uint256 volume) public view returns (uint256 bid_) {
bid_ = Math.min(data.priceOverMicroWindow, data.priceOverMacroWindow);
// add static spread (delta) and market impact (lmbda * volume)
uint256 delta = params.get(Risk.Parameters.Delta);
uint256 lmbda = params.get(Risk.Parameters.Lmbda);
uint256 pow = delta + lmbda.mulUp(volume);

However, Arbitrum does not have any specified block time, and sequences transactions as they are received by the sequencer. Over time, an average block time can be measured, however this value can be manipulated by an attacker to increase the average block time or reduce it.

This would allow the attacker to bypass the backrun-protection macro window, causing an undetermined impact.

Recommendation

For networks with non-deterministic block times, consider using the block timestamp for measuring the size of the macro window.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions