Wrong use of USD value in position check
Title
Wrong use of USD value in position check
Summary
The VaultReader::getPositionInfo function uses USD value instead of token size to check if a position exists, leading to incorrect position handling and potential financial risks.
Vulnerability Details
In the getPositionInfo function, the sizeInTokens variable is incorrectly set to getPositionSizeInUsd. This is problematic because getPositionSizeInUsd returns the position size in USD, not tokens. The function uses this USD value to check if the position size is zero, causing early exits even when the token size is not zero. Since the function doesn't call getPositionSizeInTokens, it never fetches the correct token size. This leads to positions with non-zero token sizes being mishandled based on incorrect USD values, resulting in potential miscalculations and invalid data.
Impact
Positions with non-zero token sizes but zero USD value are incorrectly ignored.
Tools Used
Manual Review
Recommendations
Update the sizeInTokens assignment to use getPositionSizeInTokens(key) instead of getPositionSizeInUsd(key) and ensure the function checks the correct value.
Lead Judging Commences
invalid_getPosition_sizeInTokens_value_in_USD
Only check if there are no tokens. Checking if USD is 0 is equivalent. There is no problem here, even if the variable has an incorrect name: Informational.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.