openPosition() Lack of minimum token0PremiumPortion/token1PremiumPortion limit #27
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-11
primary issue
Highest quality submission among a set of duplicates
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2023-12-particle/blob/a3af40839b24aa13f5764d4f84933dbfa8bc8134/contracts/protocol/ParticlePositionManager.sol#L151
Vulnerability details
Vulnerability details
In
openPosition()
, it allowstoken0PremiumPortion
andtoken1PremiumPortion
to be 0 at the same time.In this case, if
tokenId
entersout_of_price
, for example,UpperOutOfRange
, anyone might be able to input:Note:
amountFromBorrowed + marginFrom == 0
, sofees ==0
to open a new Position, borrow Liquidity, but without paying any fees. It's basically a no-cost loan.
Impact
out_of_price
tokenId, due to the no-cost loan, might lead to the following issues:token0Premium/token1Premium
are 0, the liquidator will not executeliquidatePosition()
, because there is no profit.token0Premium/token1Premium
are 0,LP
cannot get fees, but the borrower might still be able to profit.Proof of Concept
The following test case demonstrates that if it is
out_of_price
, anyone can borrow at no cost.add to
OpenPosition.t.sol
Recommended Mitigation
It is suggested that
openPosition()
should add a minimumtoken0PremiumPortion/token1PremiumPortion
limit.Assessed type
Other
The text was updated successfully, but these errors were encountered: