Trading.sol: executeLimitOrder function increases open interest by amount that is too large due to not accounting for opening fee #137
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-576
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/PairsContract.sol#L8
https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L480
https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Position.sol#L99
https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L314
https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L480
https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L163
Vulnerability details
Impact
The
PairsContract
(https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/PairsContract.sol#L8) keeps track of the open interest for each[asset][tigAsset]
pair.The
Trading.executeLimitOrder
(https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L480) function causes the open interest to be increased.However the amount by which it is increased is too big because it does not reduce the
margin
by the amount of fees that is paid upon opening a position.Also once the position is closed the amount by which the open interest is reduced DOES respect the opening fee.
So the amount by which the open interest is increased is bigger than the amount by which the open interest is reduced when the trade is closed.
Therefore every trade that is opened by executing a limit order causes the open interest to rise by a small amount.
This in turn causes issues in the calculation of the funding rate which relies on the open interst (https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Position.sol#L99).
There is no immediate loss of funds for a single trade. However in the long run the wrong funding rate calculation can make the Exchange unusable.
So I mark this issue as "Medium".
Proof of Concept
A limit order is created by calling the
Trading.initiateLimitOrder
function (https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L314).It mints a trade and saves the full margin in it. The opening fees are only later incorporated. After the open interest is increased.
So once the limit order is created,
Trading.executeLimitOrder
must be called (https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L480).In this function the trade is read into memory:
Then, without adjusting the
trade.margin
, the open interest is increased:The trade margin is only later adjusted:
You can also easily see that this is a vulnerability by comparing the
Trading.executeLimitOrder
function to e.g.Trading.initiateMarketOrder
(https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L163), which increases the open interest by the_positionSize
amount:This amount uses the margin adjusted by fees:
Tools Used
VSCode
Recommended Mitigation Steps
Fix:
The text was updated successfully, but these errors were encountered: