Open code423n4 opened 1 year ago
JustDravee marked the issue as primary issue
JustDravee marked the issue as satisfactory
fee part is included in usedFunds, At any time pool's total funds is not just included in totalFunds, but some part of it is in usedFunds, note that usedFunds can be negative too.
rivalq marked the issue as sponsor disputed
rivalq requested judge review
fee part is included in usedFunds, At any time pool's total funds is not just included in totalFunds, but some part of it is in usedFunds, note that usedFunds can be negative too.
As this issue was raised by several wardens, I'm willing to give this the benefit of the doubt and would like to ask the sponsor @rivalq to view it a second time. Perhaps looking through duplicated issues? They are mostly low quality and badly explained but might be on to something. https://github.com/code-423n4/2023-03-polynomial-findings/issues/46 is the duplicate with the most arguments
I'd like to use this issue to bring attention to another issue, https://github.com/code-423n4/2023-03-polynomial-findings/issues/117, as it actually says the opposite (that openShort
is done right but closeLong
has an extra update that shouldn't exist). So, this one, which I repeat isn't a duplicate but actually an opposite finding, might be right.
mubaris marked the issue as sponsor confirmed
I'm confirming this from our side, although I think it's a Medium risk similar to #117
JustDravee marked the issue as selected for report
As this is still considered a loss of funds for users, I'll keep it as high
Lines of code
https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L494-L521
Vulnerability details
The function
openShort()
inLiquidityPool.sol
is missing an update tototalFunds
, to increaseLiquidityPool
funds by the collected net fees.Impact
As a result of the missing increment to
totalFunds
, theavailableFunds
in theLiquidityPool
will be lower. This will impact the token price, causing a lower token price onopenShort()
trades. This will result inLiquidityPool
token holders to lose part of their token value.Detailed Explanation
The function
openShort()
is supposed to increase thetotalFunds
by(feesCollected - externalFee)
as the trading fees is paid by the trader, via a deduction of thetradeCost
.https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L506-L508
Proof of Concept
Add the following imports and test case to
test/LiquidityPool.Trades.t.sol
Recommended Mitigation Steps
Add the following to update
totalFunds
with the net fee collection.