search

sherlock-audit / 2023-07-perennial-judging

2 stars 1 forks source link

WATCHPUG - User may not be able to withdraw funds from the `Vault` (account freeze) due to `minPosition` limit #141

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

WATCHPUG

high

User may not be able to withdraw funds from the Vault (account freeze) due to minPosition limit

Summary

Vulnerability Detail

A _positionLimit() will be applied to limit the minimum position that a market must maintain in the StrategyLib#allocate() function.

For a market with a gap between major and minor greater than the entire maker, it does not allow any deallocation from such a market.

This means that a Vault that invested in a skewed market CANNOT withdraw the funds even if the users wish to, which is equivalent to an account freeze for all the Vault users.

In contrast, a retail user with a long/short/maker position is allowed to stop loss and close the position at their discretion.

Impact

Vault users are forced to keep their position against the major players in the markets until the vault's position on such a market gets liquidated.

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-vault/contracts/lib/StrategyLib.sol#L132-L150

https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-vault/contracts/lib/StrategyLib.sol#L59-L95

Tool used

Manual Review

Recommendation

Remove the minPosition limit.

sherlock-admin commented 1 year ago

2 comment(s) were left on this issue during the judging contest.

141345 commented:

x

panprog commented:

invalid because it's design choice and besides it is required for vault security as otherwise the vault can be abused by artificially creating such situations and forcing different harmful vault actions