Centralization allows owner to withhold user payouts #224
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
duplicate-377
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Trading.sol#L926-L933
Vulnerability details
Impact
The owner of the contract could set the
maxWinPercent
state variable in theTrading
contract to something like 0.000001%, which will withhold basically all user deposited funds (for open market orders) inside theStableVault
contract. See here for the usage ofmaxWinPercent
.The impact of this is reduced due to two circumstances:
StableVault
contract (as far as I can see)Regardless, since the payout includes the initial amount the user invested into the order, the owner is able to basically trap user funds with an extremely low
maxWinPercent
. The impact is the same if the multisig wallet is somehow compromised.Proof of Concept
The owner would simply need to call
setMaxWinPercent()
(See here) with a value of1
. Closing any market orders after that would return a negligible amount of the initially deposited user funds, no matter whether the user is supposed to have made a profit or a loss.Let me know if a PoC for this is actually necessary.
I mentioned above that the payout includes the initial amount that the user invested into the order. We know this because the order of function calls required to get to the usage of
maxWinPercent
(linked in the "Impact" section above) is (and this is just one example):initiateCloseOrder()
_closePosition()
.Inside
_closePosition()
, the code usestradingExtension._closePosition()
to get the payout. See here.Looking at
TradingExtension
, this function will use theTradingLibrary
contract'spnl()
function to calculate the payout:tradingExtension._closePosition()
TradingLibrary.pnl()
Looking at the
pnl()
function, it uses the order's position size, opening price, margin, and the current price to calculate the payout. This means it includes the entire amount that the user deposited for the order.Tools Used
N/A
Recommended Mitigation Steps
Set a minimum limit for the
maxWinPercent
insetMaxWinPercent()
.Better yet, remove this function. I don't see a purpose to this function. Why would you want to prevent users from earning their winnings? Trust in the platform itself is lessened with a function like this in the contract, even with a minimum limit set.
The text was updated successfully, but these errors were encountered: