The PerpetualVault contract contains a critical precision loss vulnerability in its PnL calculations. When calculating profits and losses, the contract performs division operations before applying precision multipliers, resulting in severe truncation of user profits.
HIGH - Direct financial loss to users
Users receive near-zero profits on profitable trades
Most severely impacts:
Large positions (>$100k)
Leveraged positions (especially 5x-10x)
Small price movements (<1%)
Loss severity increases with position size
Affects all profitable trades across the protocol
Testing with a realistic scenario demonstrates the severity:
Testing with $100k position at 10x leverage:
The vulnerability stems from incorrect ordering of arithmetic operations:
Reorder arithmetic operations to maintain precision:
Implement comprehensive decimal handling library
Add invariant tests for precision maintenance
Implement minimum profit thresholds
Consider using established fixed-point arithmetic libraries (e.g. PRBMath)
Financial: Critical (99.99% profit loss)
Scope: All users with profitable trades
Complexity: Low (fundamental calculation error)
PnL calculations
Profit distribution
Fee calculations
Position valuations
Found: February 20, 2025
Reported: February 21, 2025
Fixed: Pending
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.