Zaros Part 1

Summary

Because settlements and liquidation are called off-chain, a decrease position order may inadvertently open a new short position that the user does not want.

Vulnerability Details

If a user is going for liquidation, he may want to submit a decreasing (Short) position to go again above maintenance margin and still be healthy. But since orders are settled through off-chain code, his order may not be filled in time and he may be liquidated. Then his order will be executed successfully and he will get a wrong position that he didn't want.

Consider this example:

Position = 10, at 9.5 it will be liquidatable, the user creates an off-chain order to reduce his position by 1 or 2 with his last money, but still wants to be on the Long side, as he believes that the price at the end will rise and he will win. But his order wasn’t settled on time, the margin he used dropped very quickly and he was eventually liquidated before his order was filled. Then when he sees this he is shocked and forgot to cancel his order, immediately after the liquidation the order is filled and his position is already short side by -1 or -2 regardless of what he wants.

Impact

Due to a delay in settlement, the user may be liquidated and find himself in a position he does not want.

Tools Used

Manual Review

Recommendations

Maybe include a minimumAmount of the position.size or something that ensures the user is satisfied after each order is executed. With this, user will be able to indicate that they still want to be on the Long side and if a case like above happens, the order will not be executed.