Platform: Code4rena
Start Date: 13/03/2023
Pot Size: $72,500 USDC
Total HM: 33
Participants: 35
Period: 7 days
Judge: Dravee
Total Solo HM: 16
Id: 222
League: ETH
Rank: 24/35
Findings: 2
Award: $211.28
🌟 Selected for report: 0
🚀 Solo Findings: 0
131.4335 USDC - $131.43
Detailed description of the impact of this finding.
} else { require(trader == ownerOf(positionId)); ShortPosition storage position = shortPositions[positionId]; if (shortAmount >= position.shortAmount) { totalShorts += shortAmount - position.shortAmount; } else { totalShorts -= position.shortAmount - shortAmount; } position.collateralAmount = collateralAmount; position.shortAmount = shortAmount; if (position.shortAmount == 0) { _burn(positionId); <- @audit-issue burns the token even if it still has collateral }
When adjusting a position, the position token is burned if shortAmount == 0. The issue with this is that it doesn't check if the token has any collateral still associated with it. The result is that if there is still collateral assigned to the token and it is burned then all collateral assigned to that token will not longer be accessible and will be permanently lost.
Manual Review
Only burn the position if BOTH collateral and shortAmount = 0
#0 - c4-judge
2023-03-21T00:43:03Z
JustDravee marked the issue as duplicate of #131
#1 - c4-judge
2023-03-21T00:43:07Z
JustDravee marked the issue as satisfactory
#2 - JustDravee
2023-05-02T23:31:34Z
Partial for lack of coded POC on a High
#3 - c4-judge
2023-05-02T23:31:38Z
JustDravee marked the issue as partial-50
🌟 Selected for report: joestakey
Also found by: 0x52, Bauer, KIntern_NA, auditor0517, bin2chen, chaduke, juancito
79.8459 USDC - $79.85
Collateral is permanently trapped inside short position
function removeCollateral(uint256 collateralToRemove) external requiresAuth nonReentrant { (uint256 markPrice,) = LIQUIDITY_POOL.getMarkPrice(); uint256 minColl = positionData.shortAmount.mulWadDown(markPrice); minColl = minColl.mulWadDown(collRatio); require(positionData.totalCollateral >= minColl + collateralToRemove); usedFunds -= collateralToRemove; positionData.totalCollateral -= collateralToRemove; emit RemoveCollateral(positionData.positionId, collateralToRemove); }
KangarooVault#removeCollateral never actually makes a call to the exchange to remove the requested collateral. The result is that all collateral added to the short position is permanently stuck there.
Manual Review
Make a call to exchange to remove the collateral:
function removeCollateral(uint256 collateralToRemove) external requiresAuth nonReentrant { (uint256 markPrice,) = LIQUIDITY_POOL.getMarkPrice(); uint256 minColl = positionData.shortAmount.mulWadDown(markPrice); minColl = minColl.mulWadDown(collRatio); require(positionData.totalCollateral >= minColl + collateralToRemove); + EXCHANGE.removeCollateral(positionData.positionId, collateralToRemove); usedFunds -= collateralToRemove; positionData.totalCollateral -= collateralToRemove; emit RemoveCollateral(positionData.positionId, collateralToRemove); }
#0 - c4-judge
2023-03-21T00:12:51Z
JustDravee marked the issue as satisfactory
#1 - c4-judge
2023-03-21T00:13:28Z
JustDravee marked the issue as duplicate of #111
#2 - JustDravee
2023-05-02T23:23:00Z
Partial for lack of coded POC on a High
#3 - c4-judge
2023-05-02T23:23:04Z
JustDravee marked the issue as partial-50