-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
giraffe - Unsafe casting of Int256 perpNetValue leads to DOS #65
Comments
1 comment(s) were left on this issue during the judging contest. takarez commented:
|
Escalate This issue is invalid. If you look at In order to get to this state, the FundingRateArbitrage contract, whose positions are managed by admins:
Furthermore, even after we get to this position, the contract can still be liquidated and the bad debt can be taken care of. |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Correct me if I am wrong |
I believe even though this would require a trusted admin action on trades, it should not explicitly DoS core functionalities like depositing and requesting withdrawal. While this is an edge case, if theres a bad trade causing the value to fall to negative, why wouldn't the protocol be open to more collateral deposits? If any of the watsons here can provide me a reasonable numerical example that this will never realistically occur, I will considering lowering severity, if not I believe the severity is correct. |
To add on: Funding Rate Arbitrage is advertised by JOJO as a low-risk, stable return product. In the unfortunate event that positions are negative, admins may decide to inject funds via deposit to avoid liquidation. However, it is at this critical moment |
@nevillehuang @giraffe0x I believe you are misunderstanding the point. |
@JoscelynFarr Can you confirm @detectiveking123 comments? I might have missed protocol mechanisms revolving around liquidation mechanisms given the limited time I have to judge a huge update contest. If it is true that admin/any liquidator can resolve issue via a liquidation, I can agree that it is low severity. |
Agree with @detectiveking123. No need to fix the issue. Will remove the fix label |
|
@JoscelynFarr Can you point to the code logic that performs this liquidation? Once I verify I agree this can be low/invalid severity. |
Sure The liquidation formulation can be find in here |
@nevillehuang did you verify it? |
Yes @Evert0x can be invalid, but what I can tell you is if it so happens nobody is willing to liquidate, core functionalities like depositing will indeed be bricked. However, I trust that admin will liquidate appropriately to unblock DoS |
Ok planning to accept escalation and invalidate issue |
Result: |
Escalations have been resolved successfully! Escalation status:
|
giraffe
medium
Unsafe casting of Int256 perpNetValue leads to DOS
Summary
In FundingRateArbitrage.sol, the function
getNetValue()
doesSafeCast.toUint256(perpNetValue)
. WhenperpNetValue
is negative, this cast will revert.Vulnerability Detail
perpNetValue
can be a negative value when the trades (by contract Owner) are losing money (confirmed with Sponsor). This will result in SafeCast reverting:Impact
All deposit and withdraw functions in FundingRateArbitrage.sol are DOS-ed as they rely on
getNetValue()
and will revert when called. The impact is significant because users are likely to want to withdraw if the trades are losing money, but are unable to do so due to the bug described.Code Snippet
https://github.com/sherlock-audit/2023-12-jojo-exchange-update/blob/main/smart-contract-EVM/src/FundingRateArbitrage.sol#L94
Tool used
Manual Review
Recommendation
Add additional if/else conditions in deposit and withdraw to handle a negative perpNetValue scenario and possible overall negative netValue scenario.
The text was updated successfully, but these errors were encountered: