Disable market limitation can be bypassed
Summary
The isNotionalValueIncreasing function incorrectly checks if a new position is being opened. A user with an existing position can open a smaller position in the opposite direction, bypassing the disabled market check.
Vulnerability Details
When a market is disabled the protocol allows users to decrease positions, but it aims to prevent increasing them. The check in isNotionalValueIncreasing does not cover all cases allowing users to open a smaller position in the opposite direction which should still be considered and increase and disallowed when the market is disabled.
Example:
sizeDeltaX18 = -25
sizeX18 = 24
(-25 + 24).abs() > 24 = -1.abs > 24 = 1 > 24 = false; when we are closing the long and oppening a short position.
The check is also used for selecting between initial and maintenance margin, allowing users to use maintenance margin in some cases when opening positions in the opposite direction.
Impact
A trader can increase their position size in the opposite direction even when the market is disabled, and can use their maintenance margin to do so.
Recommendations
In the Position::isNotionalValueIncreasing, adjust the return statement to account for cases where a position is being opened in the opposite direction.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.