Summary

The VaultReader contract contains a flaw in its collateral and liquidation logic, specifically within the willPositionCollateralBeInsufficient() function. The calculations for realized profit and loss (PnL) do not properly account for edge cases, such as negative PnL manipulation, zero sizeDeltaUsd, and incorrect size adjustments. This issue may lead to incorrect liquidation decisions, potentially allowing positions to remain undercollateralized or be liquidated unexpectedly.

Vulnerability Details

The problematic logic is as follows

Negative PnL Manipulation:

If positionInfo.basePnlUsd is negative, attackers may exploit this to adjust collateral incorrectly, leading to inaccurate liquidation decisions.

Division by Zero Risk:

If sizeDeltaUsd == 0, the division operation will revert, breaking contract execution.

Improper Liquidation Conditions:

The liquidation logic assumes that basePnlUsd accurately reflects collateral sufficiency, but it lacks safeguards to prevent erroneous PnL calculations from causing unintended liquidations.

Impact

Incorrect Liquidation Decisions: Positions may be liquidated even when collateral is sufficient or remain open despite being undercollateralized.

Potential Exploitation: Malicious actors could manipulate basePnlUsd to influence liquidation conditions, possibly avoiding liquidation or forcing others into liquidation.

Smart Contract Instability: Division by zero may cause transaction failures, preventing liquidation from executing properly.

Tools Used

Manual

Recommendations

Sanity Check basePnlUsd:

Ensure basePnlUsd is within expected ranges to prevent manipulation.

Implement an upper/lower bound for basePnlUsd to avoid extreme values affecting liquidation logic.

Validate sizeDeltaUsd Before Division: