Incorrect Net Value Calculation Allows Under-Collateralized Positions to Remain Open
The function getPositionInfo() miscalculates the net value of a position due to incorrect handling of negative PnL (positionInfo.basePnlUsd). The flawed logic in the following snippet:
incorrectly casts negative PnL, potentially increasing the net value instead of reducing it. This happens because Solidity does not support negative numbers natively, and -positionInfo.basePnlUsd can wrap incorrectly when converted to an unsigned integer. As a result, traders with losses could appear to have more collateral than they actually do, preventing necessary liquidations. To add, the function does not cap net value to a safe upper limit, meaning that in cases where fees are not properly accounted for, positions may remain open despite being under-collateralized, leading to protocol insolvency.
Impact
Under-collateralized positions are incorrectly kept open, preventing necessary liquidations and exposing the protocol to potential bad debt accumulation.
Mitigation
Ensure proper subtraction of negative PnL by explicitly converting signed values before arithmetic operations and enforce an upper bound on net value to prevent manipulation.
Lead Judging Commences
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.