Liquidity Management

Summary

The Perpetual Vault Protocol’s withdrawal logic contains a vulnerability in its fee and negative PnL adjustment. Specifically, fees and losses are calculated in USD and then converted to collateral token units (USDC) using the oracle price of the short token. If the oracle price deviates from the 1:1 peg (even slightly, e.g. 0.98 instead of 1), the conversion results in an over-deduction of collateral during withdrawals. This miscalculation can break the invariant that a depositor’s share value is preserved, potentially causing unfair value distribution among users.

Vulnerability Details

In the _withdraw function, the code subtracts fees and negative PnL from a user’s proportional collateral withdrawal amount (collateralDeltaAmount) as follows:

Issue Explanation:

• Unit Mismatch:

  • vaultReader.getPositionFeeUsd(...) returns a fee in USD.

  • This fee is converted to collateral tokens by dividing by prices.shortTokenPrice.max.

  • When the collateral token is USDC, its intended value is 1 USD per token; however, if the oracle price is, say, 0.98 USD per USDC, the conversion results in a higher token deduction than intended.

• Negative PnL Conversion:

  • Similarly, the negative profit/loss (pnl) is converted from USD to tokens using the same price factor.

  • This conversion can also lead to an overestimation of the loss deducted.

Real-Life Scenario Simulation:

Consider a user with a 10% share in a vault where:

• The user’s entitled collateral is ideally 1,000 USDC.

• The position fee is 100 USD.

• The user’s negative PnL is 50 USD.

• The oracle reports USDC’s price as 0.98 USD per USDC.

What the Current Code Does:

• If the code were mistakenly subtracting the fee in USD without proper conversion, it might deduct just 100 + 50 = 150 USDC (or worse, mix up units), leading to an incorrect distribution.

• Over multiple withdrawals, even small errors (like 3–4 USDC per withdrawal) could accumulate, causing later depositors to receive less than their fair share.

Impact

• Violation of Invariants:
  This vulnerability breaks the “Depositor Share Value Preservation” invariant. Withdrawals that over-deduct fees and losses reduce the effective value of each depositor’s share.

• Unfair Distribution:
  Users withdrawing funds may receive less collateral than they are entitled to, while the remaining vault balance is overstated. Future depositors or withdrawers will then bear the burden of this discrepancy, leading to potential losses.

Tools Used

• Manual Code Review:

Recommendations

1. Consistent Unit Conversion:

   • Always convert USD-based values (fees and PnL) to collateral token units using the price of the collateral token rather than the short token.

   • Example Fix:

     uint256 feeAmountInCollateral = vaultReader.getPositionFeeUsd(market, sizeDeltaInUsd, false) / prices.collateralTokenPrice.max;

     uint256 pnlInCollateral = uint256(-pnl) / prices.collateralTokenPrice.max;

     if (pnl < 0) {

     collateralDeltaAmount -= (feeAmountInCollateral + pnlInCollateral);

     } else {

     collateralDeltaAmount -= feeAmountInCollateral;

     }