The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

`LiquidationPool::position` Function Doesn't Account for `LiquidationPoolManager::poolFeePercentage`, Leading to Misleading Information

n0kto

Description

The LiquidationPool::position function returns information about all the money staked in the contract, including pending and consolidated stake. However, it doesn’t take into account the poolFeePercentage from LiquidationPoolManager, leading to false information. Trying to anticipate the fees that have not yet been distributed results in an inaccurate representation of the staker's holdings. The returned information is higher than the actual value, which can potentially disappoint stakers who rely on this function to assess their holdings.

function position(address _holder) external view returns(Position memory _position, Reward[] memory _rewards) {

_position = positions[_holder];

(uint256 _pendingTST, uint256 _pendingEUROs) = holderPendingStakes(_holder);

_position.EUROs += _pendingEUROs;

_position.TST += _pendingTST;

@> if (_position.TST > 0) _position.EUROs += IERC20(EUROs).balanceOf(manager) * _position.TST / getTstTotal();

_rewards = findRewards(_holder);

}

Impact

Users will perceive a lower value than indicated by the position function due to the lack of consideration for poolFeePercentage. This is particularly impactful since users often rely on the position function to assess their holdings, given that the positions array is private. Consequently, users might feel disappointed or confused by the inaccurate information, making it challenging for them to accurately determine the real amount for calls to LiquidationPoolManager::decreasePosition. Users would need to calculate the actual amount themselves, introducing complexity and potential frustration.

Recommended Mitigation

Adjust the logic of the LiquidationPool::position function to account for LiquidationPoolManager::poolFeePercentage. An example of the modification is provided below:

function position(

address _holder

)

external

view

returns (Position memory _position, Reward[] memory _rewards)

{

if (_position.TST > 0)

- _position.EUROs +=

- (IERC20(EUROs).balanceOf(manager) * _position.TST) /

- getTstTotal();

+ _position.EUROs +=

+ (IERC20(EUROs).balanceOf(manager) * _position.TST) * manager.poolFeePercentage() /

+ (getTstTotal() * manager.HUNDRED_PC());

_rewards = findRewards(_holder);

}

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

incorrect-position

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.