Platform: Code4rena
Start Date: 09/12/2022
Pot Size: $90,500 USDC
Total HM: 35
Participants: 84
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 12
Id: 192
League: ETH
Rank: 83/84
Findings: 1
Award: $1.15
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xA5DF
Also found by: 0xA5DF, 0xNazgul, 0xSmartContract, 0xbepresent, 0xdeadbeef0x, 8olidity, Englave, Faith, HE1M, JohnnyTime, Madalad, Mukund, Ruhum, SmartSek, __141345__, aviggiano, carlitox477, cccz, chaduke, francoHacker, gz627, gzeon, hansfriese, hihen, imare, jadezti, kwhuo68, ladboy233, orion, peanuts, philogy, rbserver, wait, yjrwkk
1.1472 USDC - $1.15
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/PairsContract.sol#L139-L143
The max open interest limit updating function setMaxOi didn't verify the new max open interest limit against existing long/short open interests. The consequence is that the existing assets' long/short open interests may exceed the reduced max open interest limit. This breaks the business logic: the max open interest limit is not supposed to be exceeded.
In the test file: 02.PairsContract.js, add below test in Section describe('Protocol-only functions', function () :
it('Reduce max open interest limit to lower than short/long open interest', async function () { //@audit added await pairscontract.connect(owner).addAsset(99, 'XYZ/ABC', ethers.constants.AddressZero, ethers.utils.parseEther('1'), ethers.utils.parseEther('100'), 1e10, 3e9); await pairscontract.connect(owner).setProtocol(NewTrading.address); await pairscontract.connect(owner).setMaxOi(99, StableToken.address, ethers.utils.parseEther('2000')); await pairscontract.connect(NewTrading).modifyLongOi(99, StableToken.address, true, ethers.utils.parseEther('500')); await pairscontract.connect(NewTrading).modifyShortOi(99, StableToken.address, true, ethers.utils.parseEther('2000')); let [longOi, shortOi] = await pairscontract.idToOi(99, StableToken.address); expect(longOi).to.equal(ethers.utils.parseEther('500')); expect(shortOi).to.equal(ethers.utils.parseEther('2000')); await expect(pairscontract.connect(owner).setMaxOi(99, StableToken.address, ethers.utils.parseEther('100'))).not.to.be.reverted; });
N/A.
One of the possible solution is to limit the max open interest limit to the maximum value of the existing assets' long/short open interests; or to set the max open interest limit as a constant.
#0 - c4-judge
2022-12-23T17:41:10Z
GalloDaSballo marked the issue as primary issue
#1 - GalloDaSballo
2022-12-23T17:41:30Z
Marginally better, but suspiciously similar to it's dups
#2 - TriHaz
2023-01-10T16:45:55Z
I don't see any issue in that, if max OI is modified, the expected behaviour will be that no new positions will be opened until current OI decreases to less than the new max OI.
#3 - c4-sponsor
2023-01-10T16:46:14Z
TriHaz marked the issue as sponsor disputed
#4 - GalloDaSballo
2023-01-15T12:16:47Z
The finding shows how the current value of OI can be above the max if the value for max is reduced.
The sponsor says that this will not cause issues as no new position will be opened.
If no liquidation nor MEV advantageous scenario can be created, I agree with the Sponsor and may keep the finding as QA at most If an advantageous scenario can be identified I'll rate Med due to conditionality
Will dig deeper
#5 - c4-judge
2023-01-15T13:57:08Z
GalloDaSballo changed the severity to 2 (Med Risk)
#6 - c4-judge
2023-01-15T13:57:18Z
GalloDaSballo marked the issue as duplicate of #377
#7 - c4-judge
2023-01-22T17:33:33Z
GalloDaSballo marked the issue as satisfactory