Relevant GitHub Links

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/OrderBranch.sol#L336-L340

https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/SettlementBranch.sol#L427-L430

Summary

When users open a position or increase an existing position, the system uses requiredInitialMarginUsdX18 as the margin ratio. For position reduction or closing, it uses requiredMaintenanceMarginUsdX18. However, Zaros overlooks the possibility of opening a large position in the opposite direction while reducing a position, leading to situations where requiredMaintenanceMarginUsdX18 is used for calculations when requiredInitialMarginUsdX18 should be applied.

Vulnerability Details

The program only considers the direction of position change when calculating requiredMarginUsdX18. When the position change is sufficiently large, it effectively equates to opening a new position. Logically, requiredInitialMarginUsdX18 should be used in such cases, but the program fails to account for this scenario.

Impact

This vulnerability allows users to exploit the system by:

1. Opening a minimal position in the opposite direction of their intended trade.

2. Subsequently opening a large position in their desired direction.

This method enables users to bypass the requiredInitialMarginUsdX18 restriction, effectively increasing their maximum leverage ratio. The consequences of this exploit are significant:

1. Increased Systemic Risk: Higher leverage ratios amplify the potential for cascading liquidations in volatile market conditions.

2. Unfair Advantage: Knowledgeable users can access higher leverage than intended, creating an uneven playing field.

3. Undermined Risk Management: The protocol's risk management mechanisms are compromised, potentially leading to insolvency in extreme cases.

Tools Used

Manual Review.

Recommendations

Implement a check to ensure that when closing or reducing a position, the absolute value of the traded position does not exceed the absolute value of the original position.This can be achieved by:

1. Comparing the new position size to the old position size.

2. If the absolute value of the new position exceeds the old one, treat it as opening a new position and use requiredInitialMarginUsdX18 in the opposite.

3. Only use requiredMaintenanceMarginUsdX18 when the absolute value of the new position is less than or equal to the old position.

This approach will prevent users from exploiting the system to gain excessive leverage and maintain the intended risk management parameters of the protocol.