Trading.sol: addToPosition function does allow trader to increase position size without paying fees #194

code423n4 · 2022-12-14T17:52:16Z

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L255-L305
https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L278
https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L293-L294

Vulnerability details

Impact

When opening a position, an opening fee has to be paid.
You can see this in the Trading.initiateMarketOrder function (https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L163-L210).

It deposits the whole _tradeInfo.margin (https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L180) but the trade is only created with the _marginAfterFees (https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L185), i.e. the margin minus the opening fees.

This is how paying the opening fee should work.

There is an issue in the Trading.addToPosition function (https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L255-L305). Instead of depositing the whole _addMargin which is the margin that is added to the position, the _addMargin - _fee (https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L278) is deposited. This is the same amount that is then added to the position (https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Trading.sol#L293-L294).

In effect this means that no opening fees are deducted from the margin that is deposited.

Therefore increasing a position is free for the trader (except gas fees).

A trader can exploit this by opening a small position first (which must be as big as the minimum position size).

The trader can then increase his position to the desired size using the Trading.addToPosition function. So the trader only needs to pay the opening fee for the minimum position size.

Proof of Concept

The trader opens a position with the Trading.initiateMarketOrder function. The position is big enough to meet the minimum position size requirement (https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/TradingExtension.sol#L218)
The trader calls the Trading.addToPosition function to increase his position to the desired size.
The amount he needs to deposit into the StableVault is _addMargin - fee:

_handleDeposit(
    _trade.tigAsset,
    _marginAsset,
    _addMargin - _fee,
    _stableVault,
    _permitData,
    _trader
);

The _newMargin is calculated as _trade.margin + _addMargin - fee:

_addMargin -= _fee;
uint _newMargin = _trade.margin + _addMargin;

The margin of the trade is then changed to be the _newMargin:

position.addToPosition(
    _trade.id,
    _newMargin,
    _newPrice
);

Code from Position.addToPosition:

function addToPosition(uint256 _id, uint256 _newMargin, uint256 _newPrice) external onlyMinter {
    _trades[_id].margin = _newMargin;
    _trades[_id].price = _newPrice;
    initId[_id] = accInterestPerOi[_trades[_id].asset][_trades[_id].tigAsset][_trades[_id].direction]*int256(_newMargin*_trades[_id].leverage/1e18)/1e18;
}

In the end the trader deposited _addMargin - fee and the position was also increased by _addMargin - fee. So the trader did not pay fees for increasing his position.

Tools Used

VSCode

Recommended Mitigation Steps

The solution is very simple. The trader must deposit the whole _addMargin into the vault.

         _handleDeposit(
             _trade.tigAsset,
             _marginAsset,
-            _addMargin - _fee,
+            _addMargin,
             _stableVault,
             _permitData,
             _trader
         };

The text was updated successfully, but these errors were encountered:

c4-judge · 2022-12-23T16:27:21Z

GalloDaSballo marked the issue as duplicate of #659

c4-judge · 2023-01-18T13:58:46Z

GalloDaSballo changed the severity to 3 (High Risk)

c4-judge · 2023-01-22T17:43:25Z

GalloDaSballo marked the issue as satisfactory

code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Dec 14, 2022

code423n4 added a commit that referenced this issue Dec 14, 2022

HollaDieWaldfee issue #194

6b5204d

c4-judge closed this as completed Dec 23, 2022

c4-judge added the duplicate-659 label Dec 23, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trading.sol: addToPosition function does allow trader to increase position size without paying fees #194

Trading.sol: addToPosition function does allow trader to increase position size without paying fees #194

code423n4 commented Dec 14, 2022

c4-judge commented Dec 23, 2022

c4-judge commented Jan 18, 2023

c4-judge commented Jan 22, 2023

Trading.sol: addToPosition function does allow trader to increase position size without paying fees #194

Trading.sol: addToPosition function does allow trader to increase position size without paying fees #194

Comments

code423n4 commented Dec 14, 2022

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

c4-judge commented Dec 23, 2022

c4-judge commented Jan 18, 2023

c4-judge commented Jan 22, 2023