Misleading Variable Naming Leading to Position Size Calculation Error
Summary
A critical naming error in the getPositionInfo function of the VaultReader contract could lead to incorrect position size calculations. The function retrieves a USD value but stores it in a variable indicating the number of tokens.
Vulnerability Details
In the getPositionInfo function the variable is named sizeInTokens, but it takes the value in USD from the getPositionSizeInUsd function. This violates the "Clean Code" principle where the variable name should reflect its contents.
Developers using the sizeInTokens variable assume its value is in tokens. This can lead to incorrect calculations when used in mathematical operations.
Impact
Incorrect position sizing leading to wrong risk calculations
Scenario
User opens a position worth 10 ETH (@ $2000/ETH = $20,000)
getPositionInfois called to calculate position metricssizeInTokensreceives 20,000 (USD value) fromgetPositionSizeInUsdSubsequent calculations treat 20,000 as token amount instead of USD
Results in 2000% overvaluation of position (20,000 ETH vs 10 ETH)
Tools Used
Manual review
Recommendations
Change the variables appropriately.
Lead Judging Commences
invalid_getPosition_sizeInTokens_value_in_USD
Only check if there are no tokens. Checking if USD is 0 is equivalent. There is no problem here, even if the variable has an incorrect name: Informational.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.