Zaros Part 1

Summary

When withdrawing the Initial Margin (IM), the check uses a fill price as if the user had closed their positions. This causes the price to differ from what it actually is, which makes their margin ratio appear lower than it actually is, making it impossible to withdraw any amount while the deflated margin ratio is below the IM.

Vulnerability Details

Below is where the Initial Margin is calculated:

And here is where the markPrice is calculated. This price is then used to determine PnL:

And here is where the PnL is calculated:

This PnL is then part of the margin balance calculation:

Which finally is compared to the initial margin to see if the account is healthy enough to withdraw:

The issue here is that markPrice is calculated as if the position was closing:

This means that the PnL will be lower than it should be in cases where negative price impact would occur. With the lower PnL, the users will have a worse marginBalanceUsdX18, which will wrongly put the marginBalanceUsdX18 below requiredInitialMarginUsdX18. With this check wrongly failing, the user will not be able to withdraw any assets, even though they would in fact be above the IM.

Overall, this is an understandable safety measure. However, because users will not be able to withdraw assets that they should be able to, this safety measure becomes a vulnerability that impacts users by temporarily locking their funds.

The heart of this issue is that price impact is applied to a user's position even though their position is not changing, resulting in false passes of solvency checks in some cases and, in much worse cases, false failures that will lock away liquidity.

This is an edge case within the withdrawing functionality with high impact and low/medium likelihood, making this a medium overall.

Impact

Temporary locked funds.

Tools Used

Manual analysis

Recommendations

When determining solvency upon withdrawing, the markPrice should be calculated as if the position delta is 0, as there is no position change.