0xPwnd - Incorrect Margin Calculation in createOrderRequest Function Leading to Potential Inaccurate Margin Holdings

[sherlock-admin4]

0xPwnd

High

Incorrect Margin Calculation in createOrderRequest Function Leading to Potential Inaccurate Margin Holdings

Summary

The vulnerability exists in the createOrderRequest function where it assigns the order margin directly without converting it to USD for non-native tokens. This could result in inaccurate margin holdings, especially for cross-margin orders involving various tokens, leading to potential financial inaccuracies and risks for the protocol.

Vulnerability Detail

imagine this scenario

• Bob deposits 100 sol
• he creates a crossMargin order request with order margin of 100 sol
• then this line executes

  if (Order.PositionSide.INCREASE == params.posSide && order.isCrossMargin) {
          accountProps.addOrderHoldInUsd(orderMargin);
      }

• which in this doesn't convert the orderMargin which is 100 sol to it's usd value which may lead to inaccuracies in margin calculations

Impact

Inaccuracies in margin calculations

Code Snippet

https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/8a1a01804a7de7f73a04d794bf6b8104528681ad/elfi-perp-contracts/contracts/process/OrderProcess.sol#L47-L100

Tool used

Manual Review

Recommendation

Verify the margin token and do the usd conversion in case if the margin token is not a stablecoin

[creat3xai]

Hello, is there a reason why this one got excluded ? can an admin check

[nevillehuang]

Invalid, user input error, they are supposed input margin in USD accordingly