search

code-423n4 / 2024-04-panoptic-findings

7 stars 3 forks source link

no verification of open positions before withdrawal of assets #507

Closed c4-bot-8 closed 4 months ago

c4-bot-8 commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-04-panoptic/blob/main/contracts/CollateralTracker.sol#L531

Vulnerability details

Impact

The contract does not check if a user has any open positions before allowing them to withdraw assets. This is a direct violation of the invariant listed in the documentation Users should not be allowed to withdraw collateral if they have open positions.

Proof of Concept

https://github.com/code-423n4/2024-04-panoptic/blob/main/contracts/CollateralTracker.sol#L531

https://code4rena.com/audits/2024-04-panoptic#top:~:text=Users%20should%20not%20be%20allowed%20to%20withdraw%20collateral%20if%20they%20have%20open%20positions

Tools Used

Manual Review

Recommended Mitigation Steps

Implement a check in the withdraw function to ensure that a user does not have any open positions before allowing them to withdraw assets. This can be done by querying the s_panopticPool.numberOfPositions(owner) and reverting the transaction if it returns a non-zero value.

Assessed type

Other

Picodes commented 4 months ago

https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/CollateralTracker.sol#L512

c4-judge commented 4 months ago

Picodes marked the issue as unsatisfactory: Invalid