search

sherlock-audit / 2024-02-perpetual-judging

2 stars 2 forks source link

PUSH0 - Users will always pay max borrowing fee against SpotHedgeBaseMaker #97

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

PUSH0

medium

Users will always pay max borrowing fee against SpotHedgeBaseMaker

Summary

The borrowing fee is a mechanic proposed by perpetual to encourage LPs to deposit into makers. As well as reward traders for taking opposite positions. It acts as an additional bonus to funding fees and is calculated by utilization of the maker. DOCS

The Utilization Ratio is calculated by: ABS(openNotional of Maker) / margin of Maker (In case margin > 0). The ratio is also caped at 1.

This leads to following problem with the SpotHedgeBaseMaker: because the SpotHedgeBaseMaker keeps all funds at idle and does not deposit into vault like oracleMaker, the openNotional and margin of SpotHedgeBaseMakerare always 1:1, or close to.

This will lead to the utilization ratio always staying at 1, meaning that market will always pay full borrowing fee to SpotHedgeBaseMaker.

This discourages LPs from depositing into oracleMaker.

Vulnerability Detail

The borrow fee is calculated based on util rate:

defaultUtilRatio = FixedPointMathLib.min(WAD, openNotional.abs().divWad(positiveMargin));

https://github.com/sherlock-audit/2024-02-perpetual/blob/main/perp-contract-v3/src/makerReporter/MakerReporter.sol#L35-L64

The spotHedgeBaseMaker only deposits margin into the vault when opening a position:

https://github.com/sherlock-audit/2024-02-perpetual/blob/main/perp-contract-v3/src/maker/SpotHedgeBaseMaker.sol#L435

This means that the utilization rate of the SpotHedgeBaseMaker is always close to 100%,
forcing users to pay more fees to the spotHedgeBaseMaker then required.

Impact

Users always pay 100% of fee to SpotHedgeBaseMaker. Discourages LPs from depositing into oracleMaker.

Code Snippet

https://github.com/sherlock-audit/2024-02-perpetual/blob/main/perp-contract-v3/src/makerReporter/MakerReporter.sol#L35-L64 https://github.com/sherlock-audit/2024-02-perpetual/blob/main/perp-contract-v3/src/maker/SpotHedgeBaseMaker.sol#L435

Tool used

Manual Review

Recommendation

Calculate the util rate inside of SpotHedgeBaseMaker and quote it from there.

sherlock-admin4 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

santipu_ commented:

Low - Intended design

IllIllI000 commented 6 months ago

Escalate

This is not a duplicate of #126 and is actually invalid. When traders trade against this maker, the maker sells its spot balance, and adds the proceeds to the vault. It then uses those funds to open a position, at which point the ratio is updated.

sherlock-admin2 commented 6 months ago

Escalate

This is not a duplicate of #126 and is actually invalid. When traders trade against this maker, the maker sells its spot balance, and adds the proceeds to the vault. It then uses those funds to open a position, at which point the ratio is updated.

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

nevillehuang commented 6 months ago

@IllIllI000 Agree with your escalation

WangSecurity commented 6 months ago

@Oot2k @midori-fuse do you have anything against the escalation or you agree with it?

If no answer is provided, planning to accept the escalation and invalidate the issue.

Evert0x commented 6 months ago

Result: Invalid Unique

sherlock-admin3 commented 6 months ago

Escalations have been resolved successfully!

Escalation status: