Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Users can withdraw up to maintenance margin when they shouldn't be able to

samuraii77

Summary

Users can withdraw up to maintenance margin when they shouldn't be able to

Vulnerability Details

Whenever a user creates a market order, there is this piece of code:

// check maintenance margin if:
// 1) position is not increasing AND
// 2) existing position is being decreased in size
//
// when a position is under the higher initial margin requirement but over the
// lower maintenance margin requirement, we want to allow the trader to decrease
// their losing position size before they become subject to liquidation
//
// but if the trader is opening a new position or increasing the size
// of their existing position we want to ensure they satisfy the higher
// initial margin requirement
ctx.shouldUseMaintenanceMargin = !Position.isIncreasing(params.tradingAccountId, params.marketId, params.sizeDelta) && ctx.isMarketWithActivePosition;

The comment says that if the position is under the initial margin and is over the maintenance margin, the user can decrease their position based on the maintenance margin. The issue is that if the user is above the initial margin, he can still decrease his position up to the maintenance margin as there is no checks disallowing that.

Impact

Users can withdraw up to maintenance margin when they shouldn't be able to

Tools Used

Manual Review

Recommendations

If the user is above the initial margin, shouldUseMaintenanceMargin should be false

Updates

Lead Judging Commences

inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Users can withdraw up to maintenance margin when they shouldn't be able to

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.