Users can bypass `PositionsLimit` to create extra positions
Summary
Users can bypass PositionsLimit to create extra positions.
Vulnerability Details
When creating a new order, tradingAccount.validatePositionsLimit()is used to check if this new position would put the account over the maximum number of open positions. However, this check is missed when the order is filled.
Therefore, users can make the number of positions exceed the limit through the following paths:
Assume
maxPositionsPerAccount= 10Alice now have 9 active positions. She hopes to have 11 positions.
Alice make order A offchain to create a position in a market where she has no position.
before order A is executed, Alice make order B onchain to create a position in a market where she has no position.
Order A is executed, followed by order B. Since the number of positions is not checked when the order is executed, Alice finally has 11 positions
Impact
Likelihood: high - Exploitation of this vulnerability does not depend on any external conditions.
+
Impact: low - A security measure can be bypassed.
=
Severity: low
Tools Used
Manual review
Recommendations
tradingAccount.validatePositionsLimit()should be called both in _fillOrder and createMarketOrder.
Lead Judging Commences
`maxPositionsPerAccount` may be exceeded by combining onchain and offchain orders
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.