Centralization allows owner to withhold user payouts #224
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
duplicate-377
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Comments
code423n4
added
2 (Med Risk)
|
As mentioned in other centralization issues, we are aware of the risk and contracts owner will be a multi-sig treasury for now. |
|
TriHaz marked the issue as sponsor acknowledged |
c4-sponsor
added
the
sponsor acknowledged
|
TriHaz marked the issue as disagree with severity |
c4-sponsor
added
the
disagree with severity
|
GalloDaSballo marked the issue as duplicate of #377 |
|
Admin privilege denial of yield |
|
GalloDaSballo marked the issue as satisfactory |
c4-judge
added
the
satisfactory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Trading.sol#L926-L933
Vulnerability details
Impact
The owner of the contract could set the
maxWinPercentstate variable in theTradingcontract to something like 0.000001%, which will withhold basically all user deposited funds (for open market orders) inside theStableVaultcontract. See here for the usage ofmaxWinPercent.The impact of this is reduced due to two circumstances:
StableVaultcontract (as far as I can see)Regardless, since the payout includes the initial amount the user invested into the order, the owner is able to basically trap user funds with an extremely low
maxWinPercent. The impact is the same if the multisig wallet is somehow compromised.Proof of Concept
The owner would simply need to call
setMaxWinPercent()(See here) with a value of1. Closing any market orders after that would return a negligible amount of the initially deposited user funds, no matter whether the user is supposed to have made a profit or a loss.Let me know if a PoC for this is actually necessary.
I mentioned above that the payout includes the initial amount that the user invested into the order. We know this because the order of function calls required to get to the usage of
maxWinPercent(linked in the "Impact" section above) is (and this is just one example):initiateCloseOrder()_closePosition().Inside
_closePosition(), the code usestradingExtension._closePosition()to get the payout. See here.Looking at
TradingExtension, this function will use theTradingLibrarycontract'spnl()function to calculate the payout:tradingExtension._closePosition()TradingLibrary.pnl()Looking at the
pnl()function, it uses the order's position size, opening price, margin, and the current price to calculate the payout. This means it includes the entire amount that the user deposited for the order.Tools Used
N/A
Recommended Mitigation Steps
Set a minimum limit for the
maxWinPercentinsetMaxWinPercent().Better yet, remove this function. I don't see a purpose to this function. Why would you want to prevent users from earning their winnings? Trust in the platform itself is lessened with a function like this in the contract, even with a minimum limit set.
The text was updated successfully, but these errors were encountered: