search

code-423n4 / 2023-08-dopex-findings

3 stars 3 forks source link

Current put options implementation in PerpetualAtlanticVault.sol is American-Style option, while the premium is computed based on Black-Scholes model only for European Options #617

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L314-L369

Vulnerability details

Impact

Current implementation of put options in PerpetualAtlanticVault.sol allows purchase and settle the options in one epoch (before expiry), suggesting this is American-Style options, while docs suggest Black-Scholes model will be used for calculating premium. However, Black-Scholes is only for European options, and premium of European options is less than American options, this can cause users receive less premium than they should receive.

Proof of Concept

When settle() the options, as long as you provide the function with exist optionIds, it will execute.

for (uint256 i = 0; i < optionIds.length; i++) {
  uint256 strike = optionPositions[optionIds[i]].strike;
  uint256 amount = optionPositions[optionIds[i]].amount;

  // check if strike is ITM
  _validate(strike >= getUnderlyingPrice(), 7);

  ethAmount += (amount * strike) / 1e8;
  rdpxAmount += amount;
  optionsPerStrike[strike] -= amount;
  totalActiveOptions -= amount;

  // Burn option tokens from user
  _burn(optionIds[i]);

  optionPositions[optionIds[i]].strike = 0;
}

So there is no restrictions on exercising the options after expiry timestamp, so this is American-Style options. But per docs Black-Scholes will be used to compute the premium, and Black-Scholes is only for European Options. Due to the flexibility of American Options (can exercise before expiry) the premium is usually higher than European Options, so the users can only get the premium calculated based on European Options but sell an American Option.

Tools Used

Manual Review

Recommended Mitigation Steps

Use American Style Option pricing model instead of Black Scholes model.

Assessed type

Other

bytes032 commented 1 year ago

Invalid

c4-pre-sort commented 1 year ago

bytes032 marked the issue as low quality report

c4-judge commented 1 year ago

GalloDaSballo marked the issue as unsatisfactory: Insufficient proof

GalloDaSballo commented 1 year ago

Good idea, but you did not show a vuln

Others did, I'm not douping since this is a hypothetical

c4-judge commented 1 year ago

GalloDaSballo changed the severity to QA (Quality Assurance)

GalloDaSballo commented 1 year ago

Awarding Qa