Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Traders may not close their position because of

jennifersun

Summary

When traders close their position, the skew may increase. This could cause dos if the increasing skew triggered maxSkew.

Vulnerability Details

In zaros, there is one parameter maxSkew. maxSkew aims to prevent the difference between long position value and short position value too large. This may cause too much system risk. When traders create one order, the system will check to make sure the skew will not exceed maxSkew.
The vulnerability is that normal traders may fail to close their positions. Considering below scenario:

  • Alice chooses to create one SHORT order in market A.

  • Most traders to create one LONG order in market A. Currently, the current skew reaches maxSkew.

  • Alice wants to close her SHORT position, this will cause current skew will exceed maxSkew, and Alice's operation will be reverted because of ExceedsSkewLimit

function checkOpenInterestLimits(
Data storage self,
SD59x18 sizeDelta,
SD59x18 oldPositionSize,
SD59x18 newPositionSize
)
internal
view
returns (UD60x18 newOpenInterest, SD59x18 newSkew)
{
...
if (newSkew.abs().gt(maxSkew)) {
bool isReducingSkew = currentSkew.abs().gt(newSkew.abs());
if (!isReducingSkew) {
revert Errors.ExceedsSkewLimit(self.id, maxSkew.intoUint256(), newSkew.intoInt256());
}
}
}

Impact

Normal traders' positions may not be closed. This will lead traders exposed to risks. Maybe they will be liquidated.

Tools Used

Manual

Recommendations

If traders want to close or decrease their position, the skewLimit should not take effect on this case.

Updates

Lead Judging Commences

inallhonesty Lead Judge
11 months ago
inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Traders can't close positions that go against `maxSkew`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.