The _computeSpread function in the CollateralTracker contract calculates the required collateral for spread positions. However, there is a critical flaw: the absolute difference calculation does not handle scenarios where movedRight or movedLeft might be very close to their respective partners, potentially resulting in a zero difference. This can lead to inaccurate collateral requirements, resulting in under-collateralization and increased risk of insolvency for the protocol.
If movedRight is very close to movedPartnerRight or movedLeft is very close to movedPartnerLeft, the absolute difference calculation could result in a zero difference. This would not accurately reflect the risk and required collateral for the spread position.
Tools Used
Manual
Recommended Mitigation Steps
Add a small epsilon value to ensure that the difference is non-zero.
Lines of code
https://github.com/code-423n4/2024-06-panoptic/blob/main/contracts/CollateralTracker.sol#L1516
Vulnerability details
Impact
The
_computeSpread
function in theCollateralTracker
contract calculates the required collateral for spread positions. However, there is a critical flaw: the absolute difference calculation does not handle scenarios wheremovedRight
ormovedLeft
might be very close to their respective partners, potentially resulting in a zero difference. This can lead to inaccurate collateral requirements, resulting in under-collateralization and increased risk of insolvency for the protocol.Proof of Concept
LOC
If
movedRight
is very close tomovedPartnerRight
ormovedLeft
is very close tomovedPartnerLeft
, the absolute difference calculation could result in a zero difference. This would not accurately reflect the risk and required collateral for the spread position.Tools Used
Manual
Recommended Mitigation Steps
Add a small epsilon value to ensure that the difference is non-zero.
Assessed type
Invalid Validation