search

sherlock-audit / 2023-12-flatmoney-judging

11 stars 9 forks source link

Dliteofficial - A leverage Trader can use additionalSize to exploit the Flat Money Points for more Flat Money Point Tokens in LeverageModule::executeOpen() or LeverageModule::executeAdjust() #149

Closed sherlock-admin closed 6 months ago

sherlock-admin commented 7 months ago

Dliteofficial

medium

A leverage Trader can use additionalSize to exploit the Flat Money Points for more Flat Money Point Tokens in LeverageModule::executeOpen() or LeverageModule::executeAdjust()

Summary

A leverage trader can deposit a certain margin, enter a position with the maximum additionalSize to secure more than enough Flat Money Points tokens, exit the position. He can perform this action repeatedly for maximum rewards.

Vulnerability Detail

As a rewards to leverage traders and UNIT LPs, they get Flat Money Point tokens to be redeemed according to a vesting schedule later in the future. When a leverage trader announces a leverage open order and it gets executed, the user is given flat money points tokens according to the additional size taken. To top it off, the points is not taken if the trader exits the system.

For maximum reward, the user can take the maximum additional size, secure the Flat Money Points Tokens, exit the position and do it all over again. Of course, consideration will be put in the execution of this attack however, the benefit far outweighs the cost. For a leverage ratio of 25x and a margin of 1 ETH, the trader can get 24ETH additional size. with the points per deposit, the reward is amplified.

Impact

The trader accesses more Flat Money Points Tokens that he deserves in a short period of time.

Code Snippet

LeverageModule::executeOpen()

    function executeOpen(
        address _account, 
        address _keeper,
        FlatcoinStructs.Order calldata _order
    ) external whenNotPaused onlyAuthorizedModule returns (uint256 _newTokenId) {

        ...

        IPointsModule pointsModule = IPointsModule(vault.moduleAddress(FlatcoinModuleKeys._POINTS_MODULE_KEY));
        pointsModule.mintLeverageOpen(_account, announcedOpen.additionalSize);

        vault.updateStableCollateralTotal(int256(announcedOpen.tradeFee));
        vault.sendCollateral({to: _keeper, amount: _order.keeperFee});

        emit FlatcoinEvents.LeverageOpen(_account, _newTokenId);
    }

Tool used

Manual Review

Recommendation

Flat Money Points Token should be given based on the margin provided like that of UNIT LPs rather than additional size for Leverage traders.

Duplicate of #187

sherlock-admin commented 6 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid