Zaros Part 1

Zaros

DeFiFoundry

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Incorrect calculation of uPnl when sign flipping of a position

fyamf

Summary

accountTotalUnrealizedPnlUsdX18 is not calculated correctly if the position sign is going to be flipped during filling a new order. This leads to larger calculation of unrealized loss, making the users over charged.

Vulnerability Details

When filling the order, accountTotalUnrealizedPnlUsdX18 is calculated as (ignoring accruedFunding for simplicity):

accountTotalUnrealizedPnlUsdX18 = oldPositionSize * (markPrice - lastInteractionPrice)

https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/leaves/TradingAccount.sol#L252
https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/leaves/Position.sol#L135

In the above equation, the markPrice is calculated based on the sizeDelta and indexPrice.
https://github.com/Cyfrin/2024-07-zaros/blob/main/src/perpetuals/leaves/TradingAccount.sol#L232

It means that:

If an old long position is going to be increased in size (buy order), accountTotalUnrealizedPnlUsdX18 would be positive because oldPosition is positive, and markPrice > lastInteractionPrice.
If an old long position is going to be decreased in size (sell order), accountTotalUnrealizedPnlUsdX18 would be negative because oldPosition is positive, and markPrice < lastInteractionPrice.
If an old short position is going to be increased in size (sell order), accountTotalUnrealizedPnlUsdX18 would be positive because oldPosition is negative, and markPrice < lastInteractionPrice.
If an old short position is going to be decreased in size (buy order), accountTotalUnrealizedPnlUsdX18 would be negative because oldPosition is negative, and markPrice > lastInteractionPrice.

So far, everything is good.

The issue is when an old short position is going to change sign, in other words, when the sizeDelta is higher than the old short position size. So, the short position changes to long postion. In this case accountTotalUnrealizedPnlUsdX18 would be negative because oldPosition is negative, and markPrice > lastInteractionPrice. But, the value of accountTotalUnrealizedPnlUsdX18 is over calculated and over charges the user unfairly. Because:

accountTotalUnrealizedPnlUsdX18 = oldShortPositionSize * (markPrice as a result Of SizeDelta - lastInteractionPrice)

While, if the account first creates an order to close the short position, and then creates another long position, the accountTotalUnrealizedPnlUsdX18 would be:

accountTotalUnrealizedPnlUsdX18 = oldShortPositionSize * (lastInteractionPrice - lastInteractionPrice) + sizeDelta * (0 - 0) = 0

It is expected that accountTotalUnrealizedPnlUsdX18 for both cases be equal to each other because the final state of the protocol and market would be the same.

In summary, when the sign of a position is flipped, the uPnl should be considered as if the old position is closed, and then a new position is created. This is not implemented properly in the protocol.

PoC1

In the following test, the account has a short position with size -2000, and later creates and fill a long order with size 90_000. The console.log shows that accountTotalUnrealizedPnlUsdX18 is equal to -8800e18, equivalent to 8800$ loss. The final collateral balance is equal to 918090e18 equivalent to 918_090.

function test_uPnLInOneStepSignFlipping()

external

givenTheSenderIsTheKeeper

givenTheMarketOrderExists

givenThePerpMarketIsEnabled

givenTheSettlementStrategyIsEnabled

givenTheReportVerificationPasses

whenTheMarketOrderIdMatches

givenTheDataStreamsReportIsValid

givenTheAccountWillMeetTheMarginRequirement

givenTheMarketsOILimitWontBeExceeded

{

TestFuzz_GivenThePnlIsPositive_Context memory ctx;

ctx.fuzzMarketConfig = getFuzzMarketConfig(ETH_USD_MARKET_ID);

uint256 marginValueUsd = 1_000_000e18;

ctx.marketOrderKeeper = marketOrderKeepers[ctx.fuzzMarketConfig.marketId];

deal({ token: address(usdz), to: users.naruto.account, give: marginValueUsd });

ctx.tradingAccountId = createAccountAndDeposit(marginValueUsd, address(usdz));

// Creating the first order

perpsEngine.createMarketOrder(

OrderBranch.CreateMarketOrderParams({

tradingAccountId: ctx.tradingAccountId,

marketId: ctx.fuzzMarketConfig.marketId,

sizeDelta: int128(-2000e18)

})

);

// Filling the first order

ctx.firstMockSignedReport =

getMockedSignedReport(ctx.fuzzMarketConfig.streamId, ctx.fuzzMarketConfig.mockUsdPrice);

changePrank({ msgSender: ctx.marketOrderKeeper });

perpsEngine.fillMarketOrder(ctx.tradingAccountId, ctx.fuzzMarketConfig.marketId, ctx.firstMockSignedReport);

// Creating the second order

changePrank({ msgSender: users.naruto.account });

perpsEngine.createMarketOrder(

OrderBranch.CreateMarketOrderParams({

tradingAccountId: ctx.tradingAccountId,

marketId: ctx.fuzzMarketConfig.marketId,

sizeDelta: 90_000e18

})

);

// Filling the second order

changePrank({ msgSender: ctx.marketOrderKeeper });

perpsEngine.fillMarketOrder(ctx.tradingAccountId, ctx.fuzzMarketConfig.marketId, ctx.firstMockSignedReport);

UD60x18 collat = perpsEngine.getAccountMarginCollateralBalance(ctx.tradingAccountId, address(usdz));

console.log("collateral balance: ", unwrap(collat));

}

PoC2

In the following test, the account has a short position with size -2000, and later creates and fill two orders. First, a long order with size 2_000 to close the old short order, second, a long order with size 88_000. The console.log shows that total accountTotalUnrealizedPnlUsdX18 for both orders is equal to 0, equivalent to no loss. The final collateral balance is equal to 926884.48e18 equivalent to 926_884$.

Comparing this value with collateral balance in PoC1 shows that the difference is almost 926_884 - 918_090 = 8794$. This difference is because of the unfair uPnl calcualted in PoC1 as well as 6$ as the order/settlement fee.

function test_uPnLInTwoStepsSignFlipping()

external

givenTheSenderIsTheKeeper

givenTheMarketOrderExists

givenThePerpMarketIsEnabled

givenTheSettlementStrategyIsEnabled

givenTheReportVerificationPasses

whenTheMarketOrderIdMatches

givenTheDataStreamsReportIsValid

givenTheAccountWillMeetTheMarginRequirement

givenTheMarketsOILimitWontBeExceeded

{

TestFuzz_GivenThePnlIsPositive_Context memory ctx;

ctx.fuzzMarketConfig = getFuzzMarketConfig(ETH_USD_MARKET_ID);

uint256 marginValueUsd = 1_000_000e18;

ctx.marketOrderKeeper = marketOrderKeepers[ctx.fuzzMarketConfig.marketId];

deal({ token: address(usdz), to: users.naruto.account, give: marginValueUsd });

ctx.tradingAccountId = createAccountAndDeposit(marginValueUsd, address(usdz));

// Creating the first order

perpsEngine.createMarketOrder(

OrderBranch.CreateMarketOrderParams({

tradingAccountId: ctx.tradingAccountId,

marketId: ctx.fuzzMarketConfig.marketId,

sizeDelta: int128(-2000e18)

})

);

// Filling the first order

ctx.firstMockSignedReport =

getMockedSignedReport(ctx.fuzzMarketConfig.streamId, ctx.fuzzMarketConfig.mockUsdPrice);

changePrank({ msgSender: ctx.marketOrderKeeper });

perpsEngine.fillMarketOrder(ctx.tradingAccountId, ctx.fuzzMarketConfig.marketId, ctx.firstMockSignedReport);

// Creating the second order

changePrank({ msgSender: users.naruto.account });

perpsEngine.createMarketOrder(

OrderBranch.CreateMarketOrderParams({

tradingAccountId: ctx.tradingAccountId,

marketId: ctx.fuzzMarketConfig.marketId,

sizeDelta: 2000e18

})

);

// Filling the second order

changePrank({ msgSender: ctx.marketOrderKeeper });

perpsEngine.fillMarketOrder(ctx.tradingAccountId, ctx.fuzzMarketConfig.marketId, ctx.firstMockSignedReport);

// Creating the third order

changePrank({ msgSender: users.naruto.account });

perpsEngine.createMarketOrder(

OrderBranch.CreateMarketOrderParams({

tradingAccountId: ctx.tradingAccountId,

marketId: ctx.fuzzMarketConfig.marketId,

sizeDelta: 88_000e18

})

);

// Filling the third order

changePrank({ msgSender: ctx.marketOrderKeeper });

perpsEngine.fillMarketOrder(ctx.tradingAccountId, ctx.fuzzMarketConfig.marketId, ctx.firstMockSignedReport);

UD60x18 collat = perpsEngine.getAccountMarginCollateralBalance(ctx.tradingAccountId, address(usdz));

console.log("collateral balance: ", unwrap(collat));

}

Impact

Over calculation of uPnl when the old position sign is going to be changed during filling of the new order.

Tools Used

Recommendations

When the sign of a position is changed, the uPnl should be considered as if the old position is closed, and then a new position is created.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Crafted orders that flip skew can optimize fee payment

Appeal created

cryptomoon Judge

over 1 year ago

inallhonesty Lead Judge

over 1 year ago

cryptomoon Judge

over 1 year ago

inallhonesty Lead Judge

over 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

Crafted orders that flip skew can optimize fee payment

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,878

21 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.