Summary

The getAccountMarginBreakdown function in the TradingAccountBranch contract iterates over the activeMarketsIds set to calculate margin requirements and unrealized P&L for each market. However, it does not verify if a position actually exists for each marketId in the set. If a position is not found, the function may revert with an error or produce incorrect results.

Vulnerability Details

The function assumes that every marketId in the activeMarketsIds set corresponds to an existing position in the Position library. However, this may not always be the case. If a position has been closed or liquidated, it may still be present in the activeMarketsIds set, but the corresponding Position.Data struct may have been cleared or deleted.

If the Position.load function is called with a marketId for which no position exists, it may revert with an error (if the Position library has a check for existence) or return an empty or invalid Position.Data struct, leading to incorrect calculations in the getAccountMarginBreakdown function.

Impact

If the function fails to account for non-existent positions, the calculated margin breakdown (margin balance, initial margin, maintenance margin, available margin) may be incorrect, leading to inaccurate risk assessments and potentially incorrect liquidation decisions.

Tools Used

Manual review

Recommendations

Before accessing the Position.Data struct for a given marketId, add a check to verify if the position exists. This can be done by checking if the Position.Data struct has a non-zero value for a specific field (e.g., size) or by adding a helper function to the Position library to check for existence.