Summary

Zaros, like any perpetual protocol, allows for deadlineless positions as long as they retain a healthy margin. This is enforced via checking that requiredMargin > margin and if not, then the position is liquidatable to clear bad-debt and reward the liquidator.

However, the liquidatable positions's collateral plays a role, since liquidations are based on this amount. Smaller positions provide a lesser incentive for liquidation and could acrue bad-debt if the liquidation is not profitable to be executed.

Vulnerability Details

The depositMargin() function of the account branch manages token deposits by going through a serios of sanity checks for the cap, non-zero amount and liquidation profiority. However the amount we send is never checked neither here, nor inside the internal deposit() of the trading account.
This lack of restriction could allow for depositors to create sкъг low-margin positions that liquidating them could turn out unprofitable for the liquidator after the fees and depending greatly on the gas cost of the liquidation, since the operation involves a number of loops and computations.

Such positions without incentive for liquidation could be left accruing bad-debt for the protocol.

Impact

Bad debt accumulation due to lack of incentive

Tools Used

Manual Review

Recommendations

Enforce some kind of minimum position size. The position cap partially combats opening a number of small positions, but the liquidation incentive problem remains unsolved. The minimum amount can be a calculation of the tokens decimals and it's price, etc.