Liquidity Management

Summary

Mismanagement of totalShares and leverage positions allows users to withdraw more funds than they should, potentially draining the vault.

Vulnerability Details

The function _withdraw() in PerpetualVault.sol is responsible for handling user withdrawals.

Incorrect Code in _withdraw()

Problem Explanation

1. Incorrect Withdrawal Calculation:

   • The contract determines how much a user can withdraw based on shares divided by totalShares. However, if totalShares is not updated correctly during withdrawals, the contract may allow a user to withdraw more than their actual balance.

   • Example:

     • Assume totalShares = 1000 and a user owns 500 shares.

     • If totalDepositAmount = 100 ETH, the user should receive 50 ETH upon withdrawal.

     • However, if totalShares is not updated correctly, the contract might compute 100 ETH instead, leading to a full depletion of the vault.

2. Incorrect Collateral Deduction:

   • The function _createDecreasePosition() will incorrectly deduct collateralDeltaAmount if the calculations for open positions (positionData.collateralAmount * shares / totalShares) do not correctly reflect leverage impact.

   • If shares is incorrectly updated before collateral deduction, the function will overestimate collateralDeltaAmount, allowing excessive withdrawals.

3. Leverage Misuse & Manipulation Risk:

   • If _isLongOneLeverage(beenLong) is incorrectly set, an attacker will exploit long leverage positions to artificially inflate their collateral before withdrawing.

   • Example:

     • Assume a user deposits 10 ETH and takes a 10x long position.

     • The contract will think the user has 100 ETH in collateral.

     • If _withdraw() does not properly account for leveraged positions, the user could withdraw more ETH than they originally deposited.

Scenario

1. Step 1: Attacker Deposits and Opens a Leverage Position

   • The attacker deposits 10 ETH into the vault.

   • The contract assumes a 10x leverage, treating the attacker’s position as 100 ETH.

2. Step 2: Attacker Requests a Withdrawal

   • The attacker calls _withdraw(), expecting to remove 10 ETH.

   • Due to incorrect calculations in _handleReturn() and _createDecreasePosition(), the function believes the attacker is entitled to withdraw more.

3. Step 3: Vault Depletion

   • Instead of 10 ETH, the contract mistakenly allows 100 ETH withdrawal due to incorrect collateral calculations.

   • The vault is drained, and legitimate users cannot withdraw their funds.

Impact

Severity: High

• Impact: Full depletion of the vault’s liquidity, leading to financial losses for all users.

• Likelihood: High, as the issue could be exploited in a single transaction.

Tools Used

Manual Review

Recommendations

1. Fix the Withdrawal Calculation

   uint256 totalAmountBefore = _totalAmount(prices);

   uint256 _shares = amount * totalShares / totalAmountBefore;

   if (_shares > totalShares) {

   revert Error.InvalidAmount();

   }

   ​

   • This ensures that the withdrawal does not exceed the available liquidity.

2. Correct State Updates

   totalShares -= _shares;

   totalDepositAmount -= amount;

   ​

3. Leverage Validation

   • Ensure _isLongOneLeverage(beenLong) correctly checks if the position is active.

   if (!positionIsClosed && leverage > 1e4) {

   revert Error.InvalidState();

   }

   ​

4. Add Withdrawal Limits

   • Set max withdrawal thresholds to avoid over-extraction of funds.