search

sherlock-audit / 2023-04-jojo-judging

7 stars 4 forks source link

simon135 - for exterme leverage positions can't be liquidated #413

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

simon135

medium

for exterme leverage positions can't be liquidated

Summary

for huge token positions with an asset that supports high total supply, liquidation won't be able to be possible.

Vulnerability Detail

An attacker can make a big position more than type(int256).max since maintenanceMargin is uint we can increase with leverage to 3billion and then when it gets safe casted it will revert because it only accepts a type of int256 and not uint

Impact

position cant get liquidated 

        int256 netPositionValue,
            ,
            uint256 maintenanceMargin
        ) = getTotalExposure(state, trader);
   netPositionValue +
                state.primaryCredit[trader] +
                SafeCast.toInt256(state.secondaryCredit[trader]) >=
            SafeCast.toInt256(maintenanceMargin);

https://github.com/sherlock-audit/2023-04-jojo/blob/6090fef68932b5577abf6b5aa26eb1e579353c57/smart-contract-EVM/contracts/lib/Liquidation.sol#L124

Code Snippet

Tool used

Manual Review

Recommendation

make it uint or have a way for an admin to decrease the pos