XO-`settle` function does not check if the `pre` variable is actually set

Summary

The settle function does not check if the pre variable is set, which could allow an attacker to create a malicious PrePosition that has a zero value for the taker and maker fields. If the attacker were able to do this, they could then call the settle function and cause the contract to revert.

Vulnerability Detail

*/
function settle(
    VersionedPosition storage self,
    uint256 latestVersion,
    IOracleProvider.OracleVersion memory toOracleVersion
) internal {
    (Position memory newPosition, bool settled) =
        positionAtVersion(self, latestVersion).settled(self.pre, toOracleVersion);

    self._positionAtVersion[toOracleVersion.version] = newPosition.pack();
    if (settled) delete self.pre;
}
}

The vulnerability in the settle function so the problem is that there is a line is that it does not check if the pre variable is actually set. so we have the The pre variable is a global variable that stores the current global pending-settlement position delta, and The settle function is called when the global position is settled to a new oracle version. so The settle function calls the settled function on the current global position, passing in the pre variable and the new oracle version and the settled function calculates the new global position after settlement. so If the pre variable is not set, then the settled function will throw an error. and The settle function does not check if the pre variable is set, so an attacker could create a malicious PrePosition that has a zero value for the taker and maker fields. If the attacker were able to do this, they could then call the settle function and cause the contract to revert.
Impact
An attacker could create a malicious PrePosition that has a zero value for the taker and maker fields. If the attacker were able to do this, they could then call the settle function and cause the contract to revert.
Code Snippet
https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial/contracts/product/types/position/VersionedPosition.sol#L47
Tool used

Manual Review

Recommendation

add The require statement to check if the pre.taker and pre.maker variables are both greater than 0.

sherlock-audit / 2023-05-perennial-judging

XDZIBEC - XO-`settle` function does not check if the `pre` variable is actually set #166

XO-`settle` function does not check if the `pre` variable is actually set

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

sherlock-audit / 2023-05-perennial-judging

XDZIBEC - XO-`settle` function does not check if the `pre` variable is actually set #166

XO-settle function does not check if the pre variable is actually set

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

XO-`settle` function does not check if the `pre` variable is actually set