Missing Access Control in getPositionInfo()
Summary
The getPositionInfo() function lacks access control, allowing any external user to retrieve sensitive position details, including size, collateral, and unrealized PnL.
This exposes pending trades, liquidations, and position details, making traders vulnerable to front-running and MEV attacks.
Vulnerability Details
The function does not implement any authentication or permission check.
It exposes real-time trading positions, which MEV bots or attackers can use to exploit liquidation thresholds.
Attackers can monitor low-margin traders and execute trades to force liquidations.
POC
Call
getPositionInfo(key, prices)from an unauthorized external account.Observe sensitive position details such as
collateralAmount,sizeInTokens, andnetValue.Use this information to place front-running or sniping orders before liquidations.
Impact
Trader privacy is compromised—attackers can monitor positions in real-time.
MEV bots can front-run liquidations, worsening price impacts.
Tools Used
Manual Review
Foundry
Recommendations
Implement access control using onlyKeeper, whitelist, or authenticated accounts.
Obfuscate or delay real-time position updates to prevent easy MEV exploitation.
Consider batching multiple transactions to hide individual liquidation thresholds.
Use commit-reveal pattern and/or implement flashbots.
Lead Judging Commences
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.