Closed sherlock-admin closed 1 year ago
3 comment(s) were left on this issue during the judging contest.
panprog commented:
invalid because user can't call _closablePosition
n33k commented:
invalid, not convincing without PoC
darkart commented:
Seems that Watson misundertstood the function
feelereth
high
The _closablePosition calculation is vulnerable to manipulation of pending positions by an attacker.
Summary
The _closablePosition calculation depends on mutable pending position data. An attacker could manipulate positions before this calculation to incorrectly increase closable amount.
Vulnerability Detail
_closablePosition iterates through pending positions to calculate the closable amount: Link An attacker could exploit this by:
Impact
The attackers is able to redeem more assets than they should be able to.
Code Snippet
https://github.com/sherlock-audit/2023-09-perennial/blob/main/perennial-v2/packages/perennial-vault/contracts/Vault.sol#L539-L546
Tool used
Manual Review
Recommendation
_closablePosition calculation should only consider settled/finalized positions, not pending ones.