The addDust function in the OptionsPositionManager contract has a vulnerability in its scale calculation, which can cause reverts when the token decimals are greater than 20 or too small. The calculation of the scale0 and scale1 variables is not stable and can lead to issues with arithmetic underflow or excessive inflation of dust values. This issue impacts the operability of the closeDebt function for tokens with large decimals or small decimals like USDC. This could prevent users from being able to repay their debts properly, potentially locking up their funds.
Proof of Concept
If a token has decimals greater than 20 is used as underlying asset, the scale calculation in the addDust function will fail due to arithmetic underflow.
If a token has small decimals, the smaller it gets, the more inflated value addDust function will return.
Both scenario can result in reverts (arithmetic underflow & insufficient funds) when users try to use the closeDebt function to repay their debts, effectively rendering the operation inoperable for certain tokens.
Lines of code
https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/PositionManager/OptionsPositionManager.sol#L546-L547
Vulnerability details
Impact
The
addDust
function in theOptionsPositionManager
contract has a vulnerability in its scale calculation, which can cause reverts when the token decimals are greater than 20 or too small. The calculation of thescale0
andscale1
variables is not stable and can lead to issues with arithmetic underflow or excessive inflation of dust values. This issue impacts the operability of thecloseDebt
function for tokens with large decimals or small decimals like USDC. This could prevent users from being able to repay their debts properly, potentially locking up their funds.Proof of Concept
If a token has decimals greater than 20 is used as underlying asset, the scale calculation in the
addDust
function will fail due to arithmetic underflow. If a token has small decimals, the smaller it gets, the more inflated valueaddDust
function will return. Both scenario can result in reverts (arithmetic underflow & insufficient funds) when users try to use thecloseDebt
function to repay their debts, effectively rendering the operation inoperable for certain tokens.Tools Used
Manual review
Recommended Mitigation Steps
Use a fixed amount to calculate scales in the
addDust
function, rather than relying on dynamic calculations based on token decimals.Assessed type
Decimal