Suppose _fundingFees happens to be -1000, and marginDepositedTotal == 900, as we directly cast int256(_globalPositions.marginDepositedTotal) + _fundingFees to unit256 we get type(unit256).max() - 100 in marginDepositedTotal in our example.
Overlowed marginDepositedTotal leads to revert in _getCollateralNet, since solidity 0.8 will revert overflowed addition of unit256s. Reverts in _getCollateralNet leads to DoS for various places in the protocol ([1][2])
vvv
high
DoS attack by overflowing marginDepositedTotal value in Vault
Summary
marginDepositedTotal
could be overflowed due to incorrect check inFlatcoinVault
. OverlowedmarginDepositedTotal
leads to DoS, as it's used in InvariantChecks.Vulnerability Detail
In
settleFundingFees
method inFlatcoinVault
due to incorrect check for negativemarginDepositedTotal
, it can be overflowed to extreme values.Suppose
_fundingFees
happens to be -1000, andmarginDepositedTotal
== 900, as we directly castint256(_globalPositions.marginDepositedTotal) + _fundingFees
tounit256
we gettype(unit256).max() - 100
inmarginDepositedTotal
in our example.Overlowed
marginDepositedTotal
leads to revert in _getCollateralNet, since solidity 0.8 will revert overflowed addition of unit256s. Reverts in_getCollateralNet
leads to DoS for various places in the protocol ([1] [2])Impact
DoS for the big part of the protocol.
Code Snippet
Tool used
Manual Review
Recommendation
Change check for negative
marginDepositedTotal
to:Duplicate of #195