Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Matthews Lab
Search
Search
Appearance
Log in
Personal tools
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Synthetix
(section)
Page
Discussion
British English
Read
Edit
Edit source
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
Edit source
View history
General
What links here
Related changes
Special pages
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
= Pricing vulnerabilities = First, because Synthetix is not really an exchange it doesn’t have an order book and can’t determine prices directly. The rates for assets in Synthetix come from an external provider (Chain Link.)[exchange_rates] I won’t be looking into how Chain Link works in this post, but it’s important to note that Chain Link has already messed up its feeds multiple times – a fact that lead to the creation of an emergency circuit breaker being added to Synthetix that suspends trading should an asset price fall by a certain percent within a short time period [circuit_breaker]. Unfortunately, due to the way Synthetix handles exchange requests there is no guarantee the circuit breaker will ever be triggered! '''There are multiple reasons for this:''' # The Exchange Rate contract code can allow price quotes to be stale by several hours [stale_quotes]. # The exact value it can be stale by is arbitrary as every aspect of Synthetix can be changed by the contract owner at any time [[#backdoors|backdoors]]. # The Exchange API call does NOT include a price parameter which leaves it vulnerable to race conditions [contract_no_quote]. # '''The UI has no way to specify rates (at all)''' and consequently the freshness of any rates provided to the UI is verified and makes any contract-level circuit breaker completely redundant [ui_no_quote]. # The UI contains multiple pricing race conditions on the same page. E.g. miner fee calculation, expected exchange rate, final confirm, final submit… This is very amateurish to say the least. '''The user has no clue what rate they end up paying. WEW:''' [contract_no_quote][ui_no_quote] <syntaxhighlight lang="javascript">// ... const rate = getExchangeRatesForCurrencies(exchangeRates, quote.name, base.name); const inverseRate = getExchangeRatesForCurrencies(exchangeRates, base.name, quote.name); // ... const tx = await Synthetix.exchange( bytesFormatter(quote.name), amountToExchange, bytesFormatter(base.name), { gasPrice: gasInfo.gasPrice * GWEI_UNIT, gasLimit: rectifiedGasLimit, } );</syntaxhighlight> Synthetix Exchange were probably thinking that by leaving out a price parameter they would be making the API easier to use – after-all the price can just be determined at the time of exchange and everything floats anyway. But it means that showing quotes in the UI for a price feed has literally no purpose as new prices are fetched at the time of exchange. What this means is the prices in the UI can be stale by an indefinite period of time or completely wrong (thereby bypassing the circuit breaker.) The user has ZERO WAY to indicate whether they agree to a certain quote. Just roll the dice and accept because it’s no different [pricing_notes]. <span id="options-exchange"></span>
Summary:
Please note that all contributions to Matthews Lab may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Matthews Lab:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
