The current implementation of the _updatePositionsHash function in the PanopticPool contract has an incorrect validation check for the maximum number of positions allowed per user. This oversight allows users to exceed the intended maximum positions limit by one. This could lead to unintended behavior and potential system vulnerabilities due to more positions being open than allowed.
In this code, the check (newHash >> 248) > MAX_POSITIONS is intended to ensure that the number of positions does not exceed MAX_POSITIONS. However, this condition will only trigger if the number of positions exceeds MAX_POSITIONS by more than one.
Issue with Current Condition:
If MAX_POSITIONS is set to 32, and a user has exactly 32 positions, newHash >> 248 will equal 32.
The condition (newHash >> 248) > MAX_POSITIONS will not trigger because 32 is not greater than 32.
Therefore, a user might be able to add one more position, making the total 33, which exceeds the intended limit.
Proof:
Consider the following scenario with MAX_POSITIONS set to 32:
A user has 32 positions.
The newHash value after adding another position results in newHash >> 248 equal to 33.
The condition (newHash >> 248) > 32 will not revert, allowing the user to add the 33rd position.
Tools Used
Manual
Recommended Mitigation Steps
To strictly enforce the maximum number of positions, the condition should be changed to >=:
Lines of code
https://github.com/code-423n4/2024-06-panoptic/blob/main/contracts/PanopticPool.sol#L1371
Vulnerability details
Impact
The current implementation of the
_updatePositionsHash
function in thePanopticPool
contract has an incorrect validation check for the maximum number of positions allowed per user. This oversight allows users to exceed the intended maximum positions limit by one. This could lead to unintended behavior and potential system vulnerabilities due to more positions being open than allowed.Proof of Concept
Lines of Code
In this code, the check
(newHash >> 248) > MAX_POSITIONS
is intended to ensure that the number of positions does not exceedMAX_POSITIONS
. However, this condition will only trigger if the number of positions exceedsMAX_POSITIONS
by more than one.Issue with Current Condition:
MAX_POSITIONS
is set to 32, and a user has exactly 32 positions,newHash >> 248
will equal 32.(newHash >> 248) > MAX_POSITIONS
will not trigger because 32 is not greater than 32.Proof:
Consider the following scenario with
MAX_POSITIONS
set to 32:newHash
value after adding another position results innewHash >> 248
equal to 33.(newHash >> 248) > 32
will not revert, allowing the user to add the 33rd position.Tools Used
Manual
Recommended Mitigation Steps
To strictly enforce the maximum number of positions, the condition should be changed to
>=
:Assessed type
Invalid Validation