Liquidity Management

Summary:

• The PerpetualVault contract lacks event emissions for important state changes.

• Affected functions: cancelOrder(), claimCollateralRebates(), afterOrderExecution(), afterLiquidationExecution(), and afterOrderCancellation().

Severity: Medium

Impact: Medium

Likelihood: Medium

Affected Line of Code:

• cancelOrder()

• claimCollateralRebates()

• afterOrderExecution()

• afterLiquidationExecution()

• afterOrderCancellation()

Finding Description:

• The following functions lack event emissions:

  • Order cancellations (cancelOrder())

  • Collateral rebate claims (claimCollateralRebates())

  • Execution state transitions (afterOrderExecution())

  • Liquidation events (afterLiquidationExecution())

  • Order cancellation events (afterOrderCancellation())

• The absence of these events breaks the guarantees of transparency and auditability, as key state changes in the contract cannot be tracked off-chain.

Impact Explanation:

• Impact: Medium.

  • Missing events reduce visibility into critical state changes, such as order cancellations, collateral claims, executions, and liquidations.

  • This impacts off-chain monitoring systems and dApp functionalities, making it difficult for users and external services to track these events.

Likelihood Explanation:

• Likelihood: Medium.

  • The lack of events does not cause immediate contract failure, but it compromises the contract's transparency and monitoring in the long term.

  • As the contract scales and more actions are processed, the impact of this issue will increase.

Proof of Concept:

• No Event Emission Example:

  • After an order cancellation (cancelOrder()), no event is emitted to notify external systems about the state change.

  • No event for collateral rebate claims in claimCollateralRebates(), leaving external systems unaware of when a user claims their rebate.

  • State changes during order execution in afterOrderExecution() are not logged, making it impossible for external monitoring systems to track these executions.

  • No event emitted during liquidation in afterLiquidationExecution(), leaving no external way to detect liquidation events.

Recommendation:

• Fix: Add event emissions for the following key functions in PerpetualVault contract:

  • cancelOrder(): Emit an OrderCancelled event.

  • claimCollateralRebates(): Emit a CollateralRebateClaimed event.

  • afterOrderExecution(): Emit an OrderExecuted event.

  • afterLiquidationExecution(): Emit a LiquidationExecuted event.

  • afterOrderCancellation(): Emit an OrderCancelled event.

  Fixed Code Example:

  event OrderCancelled(address indexed user, uint256 orderId);

  event CollateralRebateClaimed(address indexed user, uint256 rebateAmount);

  event OrderExecuted(address indexed user, uint256 orderId, uint256 amount);

  event LiquidationExecuted(address indexed user, uint256 positionId, uint256 amount);

  ​

  function cancelOrder(uint256 orderId) public {

  // Logic for canceling the order

  emit OrderCancelled(msg.sender, orderId);

  }

  ​

  function claimCollateralRebates() public {

  // Logic for claiming collateral rebates

  emit CollateralRebateClaimed(msg.sender, rebateAmount);

  }

  ​

  function afterOrderExecution(uint256 orderId) public {

  // Logic for after order execution

  emit OrderExecuted(msg.sender, orderId, amount);

  }

  ​

  function afterLiquidationExecution(uint256 positionId) public {

  // Logic for liquidation execution

  emit LiquidationExecuted(msg.sender, positionId, amount);

  }

  ​

  function afterOrderCancellation(uint256 orderId) public {

  // Logic for after order cancellation

  emit OrderCancelled(msg.sender, orderId);

  }

  ​