Closed sherlock-admin closed 11 months ago
3 comment(s) were left on this issue during the judging contest.
panprog commented:
invalid because _latest returns both latestPosition and closableAmount, and closableAmount is not latestPosition.magnitude
n33k commented:
invalid, not convincing without PoC
polarzero commented:
Medium. Exactly the same as above.
feelereth
high
Basing fees on the current pending position magnitude instead of the amount being closed can lead to incorrect fee calculations
Summary
This code does have an issue in how it calculates fees based on the current pending position magnitude rather than the amount being closed.
Vulnerability Detail
This code does have an issue in how it calculates fees based on the current pending position magnitude rather than the amount being closed. The key parts are:
Impact
Users could pay excess fees if their position reduces in size.
Code Snippet
https://github.com/sherlock-audit/2023-09-perennial/blob/main/perennial-v2/packages/perennial-extensions/contracts/MultiInvoker.sol#L229 https://github.com/sherlock-audit/2023-09-perennial/blob/main/perennial-v2/packages/perennial-extensions/contracts/MultiInvoker.sol#L344-L345 https://github.com/sherlock-audit/2023-09-perennial/blob/main/perennial-v2/packages/perennial-extensions/contracts/MultiInvoker.sol#L349-L350
Tool used
Manual Review
Recommendation
_latest should track the actual delta of DSU being closed, not just the latest magnitude. This accurately tracks the amount being closed rather than just using the latest magnitude.