Summary and Impact

The VaultReader contract's getPositionInfo() function fails to properly handle negative PnL values during netValue calculations, which can prevent users from withdrawing funds and block critical protocol operations like liquidations. This directly violates the protocol's core invariant of "Depositor Share Value Preservation" as stated in the documentation, where "the value of a depositor's shares should never decrease due to the actions of other depositors."

When positions experience significant losses, the contract's inability to process large negative PnL values effectively locks user funds and prevents the protocol from managing risk properly. This is particularly concerning for a protocol designed to handle leveraged trading positions up to 3x, where significant price movements are expected.

Vulnerability Details

The issue lies in the arithmetic operation within getPositionInfo() where netValue is calculated:

Consider this scenario:

1. A user deposits 1000 USDC into a 3x ETH vault

2. ETH price drops significantly (>33%)

3. The position's PnL becomes deeply negative

4. When trying to process a withdrawal or liquidation:

   • getPositionInfo() is called

   • netValue calculation attempts to subtract a large negative PnL value

   • The transaction reverts due to underflow

   • The position becomes effectively frozen

This creates a situation where:

• Users cannot withdraw their remaining funds

• The protocol cannot liquidate underwater positions

• Risk management becomes impossible

• The protocol's state becomes inconsistent with its documented invariants

Test demonstrating the issue:

Tools Used

• Manual Review

• Foundry

Recommendations

Modify the netValue calculation to use signed integers (int256) throughout the calculation to properly handle negative values:

This ensures the protocol can handle negative PnL values properly, maintain position management capabilities, and uphold its stated invariants regarding depositor share value preservation and withdrawal functionality.