Open c4-bot-5 opened 9 months ago
0xleastwood marked the issue as primary issue
Good point. Appreciated the detailed PoC. On our end, I think we should have documented the use of tokenPremiumPortion
more clearly. It's a compromise we took to ensure the lien
structure stored on chain is less than 3 uint256. We compressed a lot and were only left with uint24
.
We think a dust of ~1000 USDC when a user is spending 15B USDC is acceptable. We could add a function to collect dust if needed (might be complicated though).
If there can be serious attack around this dust, please do raise it. Thanks!
0xleastwood marked the issue as selected for report
wukong-particle (sponsor) acknowledged
These are leftover amounts that are caused by the rounding of the premium as a portion (premium -> portion -> premium). It looks more on the QA side to me.
These are leftover amounts that are caused by the rounding of the premium as a portion (premium -> portion -> premium). It looks more on the QA side to me.
This seems considerable and will accrue significantly over the lifetime of the protocol. I think the severity is justified as per the judging criteria.
2 — Med: Assets not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
Lines of code
https://github.com/code-423n4/2023-12-particle/blob/main/contracts/protocol/ParticlePositionManager.sol#L218-L244
Vulnerability details
Impact
Excess tokens from margins provided by traders when opening position could become stuck inside the
ParticlePositionManager
due to precision loss when calculating the token premium portion.Proof of Concept
When traders call
openPosition
, eventually it will calculatecache.token0PremiumPortion
andcache.token1PremiumPortion
before put it into lien data.https://github.com/code-423n4/2023-12-particle/blob/main/contracts/protocol/ParticlePositionManager.sol#L218-L244
It can be observed that when calculating
cache.token0PremiumPortion
andcache.token1PremiumPortion
, precision loss could occur, especially when the token used has a high decimals (e.g. 18) whileBASIS_POINT
used only1_000_000
. When this happens, the token could become stuck inside theParticlePositionManager
.Coded PoC :
The PoC goal is to check the amount of tokens inside the
ParticlePositionManager
after the position is opened, premium is added, liquidated, the LP withdraws the tokens and collects fees, and the admin collects the treasury.Add the following test inside
test/OpenPosition.t.sol
and also addimport "forge-std/console.sol";
to the test contract.Run the test :
Output log :
It can be observed that some tokens stuck inside the
ParticlePositionManager
contract.Tools Used
Manual review + foundry
Recommended Mitigation Steps
Use a higher scaling for
BASIS_POINT
, considering the fact that tokens commonly have a high number of decimalsAssessed type
Math