New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The long and short open interests can be larger than the max open interest limit #370
Comments
GalloDaSballo marked the issue as primary issue |
Marginally better, but suspiciously similar to it's dups |
I don't see any issue in that, if max OI is modified, the expected behaviour will be that no new positions will be opened until current OI decreases to less than the new max OI. |
TriHaz marked the issue as sponsor disputed |
The finding shows how the current value of OI can be above the max if the value for max is reduced. The sponsor says that this will not cause issues as no new position will be opened. If no liquidation nor MEV advantageous scenario can be created, I agree with the Sponsor and may keep the finding as QA at most Will dig deeper |
GalloDaSballo changed the severity to 2 (Med Risk) |
GalloDaSballo marked the issue as duplicate of #377 |
GalloDaSballo marked the issue as satisfactory |
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/PairsContract.sol#L139-L143
Vulnerability details
Impact
The max open interest limit updating function setMaxOi didn't verify the new max open interest limit against existing long/short open interests. The consequence is that the existing assets' long/short open interests may exceed the reduced max open interest limit. This breaks the business logic: the max open interest limit is not supposed to be exceeded.
Proof of Concept
In the test file:
02.PairsContract.js
, add below test in Sectiondescribe('Protocol-only functions', function ()
:Tools Used
N/A.
Recommended Mitigation Steps
One of the possible solution is to limit the max open interest limit to the maximum value of the existing assets' long/short open interests; or to set the max open interest limit as a constant.
The text was updated successfully, but these errors were encountered: