```LiquidationPool::position``` function returns wrong EUROs amount.
Summary
The protocol implements position function in the LiquidationPool contract so that we can get a position's TST and EUROs amount.
This function implementation is not correct and will return wrong values for the position's EUROs.
Vulnerability Details
If we look at the position function we see that after accounting for the pendingStakes in the next line if the holder stake any TST tokens we increase the EUROs amount by how much he will get from the manager contract as rewards if (_position.TST > 0) _position.EUROs += IERC20(EUROs).balanceOf(manager) * _position.TST / getTstTotal();.
The problem is this line reads the whole EUROs balance the manager contract holds IERC20(EUROs).balanceOf(manager) and does not account for the poolFeePercentage.
But in the LiquidationPoolManager::distributeFees the actual EUROs sent as rewards is uint256 _feesForPool = eurosToken.balanceOf(address(this)) * poolFeePercentage / HUNDRED_PC;. So whenever the position function is called it will return more EUROs then what the position actually has.
Impact
This will show more EUROs for a position than what the position actually have.
Tools Used
manual.
Recommendations
Change this line: if (_position.TST > 0) _position.EUROs += IERC20(EUROs).balanceOf(manager) * _position.TST / getTstTotal(); in the position function to this:
OR just don't include the pending rewards when get the position's EUROs.
Lead Judging Commences
incorrect-position
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.