[Post-Contest] `MultiInvoker._executeOrder` uses current position unadjusted which can lead to incorrect order executions during invalid oracle versions

panprog commented 11 months ago

MultiInvoker._executeOrder: https://github.com/sherlock-audit/2023-09-perennial/blob/e518bbd77bd06ae9c663a31c67d9530a87d2dabb/perennial-v2/packages/perennial-extensions/contracts/MultiInvoker.sol#L422-L423

This one I'm not sure about, as it can be seen as expected. Similar to _liquidate, currentPosition here is not adjusted, and since order is delta, it will be applied to a wrong currentPosition in case of unsettled invalid oracle. However, in absolute value it will probably be correct. So I leave it up to developers to decide the expected behavior of this one. The fix is to adjust to MultiInvoker._latest().

kbrizzle commented 11 months ago

Fixed by: https://github.com/equilibria-xyz/perennial-v2/pull/116.

panprog commented 11 months ago

Fixed

sherlock-audit / 2023-09-perennial-judging

[Post-Contest] `MultiInvoker._executeOrder` uses current position unadjusted which can lead to incorrect order executions during invalid oracle versions #61