Lone Fossilized Lemur - Missing Payable Modifier Causes Order Execution Failure in Synthetix Integration

[sherlock-admin3]

Lone Fossilized Lemur

High

Missing Payable Modifier Causes Order Execution Failure in Synthetix Integration

Summary

A critical oversight has been discovered in the implementation of BorrowLiquidation::executeOrdersInSynthetix where the function lacks the essential payable modifier. This omission prevents the proper forwarding of ETH required for Synthetix order execution, leading to consistent transaction failures and system unavailability.

Root Cause

The BorrowLiquidation::executeOrdersInSynthetix and BorrowLiquidation::executeOrdersInSynthetix function is not marked as payable.

    function executeOrdersInSynthetix(
        bytes[] calldata priceUpdateData
    ) external onlyAdmin {
        // call executeOrdersInSynthetix in borrowLiquidation contract
        borrowLiquidation.executeOrdersInSynthetix(priceUpdateData);
    }

calls the borrowLiquidation.executeOrdersInSynthetix(priceUpdateData) internally

    function executeOrdersInSynthetix(
        bytes[] calldata priceUpdateData
    ) external onlyBorrowingContract {
        // Execute the submitted order
        synthetixPerpsV2.executeOffchainDelayedOrder{value: 1}(address(this), priceUpdateData);
    }

Consequently, the hardcoded value of 1 wei specified in the function call is not sent, and msg.value remains zero. When the call chain reaches the updatePythPrice function in synthetixPerpsV2, it reverts with the error "Not enough eth for paying the fee" due to insufficient ETH being forwarded.

https://github.com/sherlock-audit/2024-11-autonomint/blob/0d324e04d4c0ca306e1ae4d4c65f0cb9d681751b/Blockchain/Blockchian/contracts/Core_logic/borrowLiquidation.sol#L324

Internal pre-conditions

1. Contract Dependencies:
   • The BorrowLiquidation contract must interact with Synthetix's perps system
   • ETH fee payment is mandatory for Pyth price updates
2. Operational Conditions:
   • Functions need to handle ETH transfers
   • Admin privileges required for execution

External pre-conditions

No response

Attack Path

No response

Impact

The absence of the payable modifier creates a complete blockage in the order execution pipeline. This technical limitation prevents administrators from performing critical operations, potentially leading to:

• Stalled liquidations
• Inability to process market orders
• System-wide operational disruption

PoC

The administrator calls the Borrowing::executeOrdersInSynthetix function with valid input data.
This invokes the BorrowLiquidation::executeOrdersInSynthetix function, which attempts to execute the order by calling the synthetixPerpsV2.executeOffchainDelayedOrder function.
The call to updatePythPrice

 require(msg.value >= fee, "Not enough eth for paying the fee");

Since the Borrowing::executeOrdersInSynthetix and BorrowLiquidation::executeOrdersInSynthetix function is not marked as payable, no ETH is forwarded in the transaction, and msg.value is zero.
The Transaction will reverts due to the insufficient ETH fee, causing the entire order execution to fail.

Mitigation

Mark the BorrowLiquidation::executeOrdersInSynthetix and borrowLiquidation::executeOrdersInSynthetix function as payable:

    function executeOrdersInSynthetix(
        bytes[] calldata priceUpdateData
    ) external payable onlyAdmin {
        // call executeOrdersInSynthetix in borrowLiquidation contract
        borrowLiquidation.executeOrdersInSynthetix(priceUpdateData);
    }

function executeOrdersInSynthetix(
        bytes[] calldata priceUpdateData
    ) external payable onlyBorrowingContract {
        // Execute the submitted order
        synthetixPerpsV2.executeOffchainDelayedOrder{value: 1}(address(this), priceUpdateData);
    }