[M-06] Incorrect Precision Scaling in `getPositionInfo()` Can Lead to Miscomputed Values
Summary
The getPositionInfo function in the VaultReader contract performs arithmetic operations on various financial values related to a position, such as collateral, fees, and profit & loss (PnL). However, the calculations do not properly account for precision scaling, leading to potential inaccuracies in computed values. This could affect trading logic, fund calculations, and overall contract behavior.
Vulnerability Details
Function Involved
Issue Breakdown
-
Incorrect Scaling When Multiplying Prices
The function multiplies token amounts by their respective prices without considering that prices are typically stored with a precision factor (e.g., 1e30 for GMX pricing). This can cause overflows, underflows, or incorrect calculations.uint256 netValue =positionInfo.position.numbers.collateralAmount * prices.shortTokenPrice.min +positionInfo.fees.funding.claimableLongTokenAmount * prices.longTokenPrice.min +positionInfo.fees.funding.claimableShortTokenAmount * prices.shortTokenPrice.min -positionInfo.fees.borrowing.borrowingFeeUsd -positionInfo.fees.funding.fundingFeeAmount * prices.shortTokenPrice.min -positionInfo.fees.positionFeeAmount * prices.shortTokenPrice.min;Why is this an issue?
If
prices.shortTokenPrice.minis stored in 1e30 format, then multiplying it directly with anamountstored in 1e18 format will create a huge, incorrect value.If the contract logic expects the result in 1e18 format, then operations relying on
netValuemay misbehave.
-
Improper Handling of Negative
basePnlUsdif (positionInfo.basePnlUsd >= 0) {netValue = netValue + uint256(positionInfo.basePnlUsd);} else {netValue = netValue - uint256(-positionInfo.basePnlUsd);}If
netValueis already small andbasePnlUsdis negative and large, then this could underflow, causing unexpected behavior.There is no safeguard to ensure
netValuedoesn’t go below 0.
Impact
Incorrect Fund Calculation: Due to incorrect precision scaling, calculated
netValuecan be either too high or too low, affecting portfolio tracking.Potential Underflows: If fees or negative PnL values exceed
netValue, arithmetic underflows could lead to unexpected contract states.Broken Trading Logic: The incorrect computation of
netValuemay cause incorrect liquidation decisions or improper profit/loss tracking.
Tools Used
Manual Code Review
Recommendations
1. Apply Precision Scaling to Avoid Miscalculations
Each multiplication involving token amounts and prices should be divided by PRECISION (e.g., 1e30) to keep the values within expected ranges.
2. Separate Fee Calculation for Clarity
Rather than embedding fee subtractions in the same line, explicitly define totalFees:
This ensures:
The total liabilities (fees) are calculated separately.
We prevent underflows by ensuring
netValuedoes not go below 0.
3. Handle Negative basePnlUsd Correctly
Instead of:
Use:
This prevents netValue from underflowing if basePnlUsd is negative and too large.
Lead Judging Commences
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.