Overloading and Ambiguity of Global Flow Data
PerpetualVault.sol
Observation:
The variable flowData is used to store different types of information depending on the current flow:
-
In a withdrawal flow, it is set to the deposit ID:
flowData = depositId; -
In the deposit flow (during MarketIncrease orders) it temporarily holds “previous size in tokens.”
-
In the liquidation branch, it is overwritten with the current position size.
Later, functions like _handleReturn decode flowData as a deposit ID:
Risk:
Because the same storage slot is used for different meanings across flows, an attacker (or a malicious keeper) may be able to force a state transition or manipulate the value of flowData between flows. This could cause, for example, a withdrawal to reference the wrong deposit record, potentially allowing an attacker to withdraw funds they are not entitled to or to disrupt the fair distribution of shares.
Recommendation:
Separate the flow‐related data into distinct variables (or use a struct with clearly typed fields) so that each piece of information is stored in its proper context. This eliminates the risk of type confusion and unintended overwrites between flows.
Lead Judging Commences
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Suppositions
There is no real proof, concrete root cause, specific impact, or enough details in those submissions. Examples include: "It could happen" without specifying when, "If this impossible case happens," "Unexpected behavior," etc. Make a Proof of Concept (PoC) using external functions and realistic parameters. Do not test only the internal function where you think you found something.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.