search

sherlock-audit / 2024-05-elfi-protocol-judging

11 stars 7 forks source link

tedox - Users may not be able to close their position due to lack of liquidity in the pool #289

Closed sherlock-admin2 closed 3 months ago

sherlock-admin2 commented 3 months ago

tedox

Medium

Users may not be able to close their position due to lack of liquidity in the pool

Summary

If a user's position is big enough the contract might not be able to cover for the profit by the user and prevent the user from closing their position with the profit they were supposed to receive.

Vulnerability Detail

When placing an order the contract does not verify weather there is enough liquidity supplied to cover for the potential profit the user might receive from the position. This can result in a situation in which when the position is closed the contract does not have enough funds to pay to the user. E.g. Alice creates a long position with $10,000 open interest. The current liquidity provided through staking is only $20. If the price goes up even slightly, Alice will have earned more than $20 and she would not be able to receive her profits until the contract gets enough liquidity but then the price of the asset might have changed resulting in lost profit.

Impact

Large positions might not be able to be closed and users will receive less profit than they were supposed to.

Code Snippet

https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/OrderProcess.sol#L114-L234

Tool used

Manual Review

Recommendation

When creating/increasing a position ensure that the user cannot create a position big enough to create insolvency issues. Formula to keep in mind (shortOpenInterest) + (longOpenInterestInTokens * currentIndexTokenPrice) < (depositedLiquidity * maxUtilizationPercentage) or totalOpenInterest < (depositedLiquidity * maxUtilizationPercentage)

Duplicate of #72

0xELFi02 commented 3 months ago

When increase position, position will hold pool amount, user can receive her profits from the held amount :

LpPoolProcess.holdPoolAmount(symbolProps.stakeToken, position.marginToken, increaseHoldAmount, params.isLong);

https://github.com/0xCedar/elfi-perp-contracts/blob/49c4ba456d54810bfe36e44be9476acb9f0b23a1/contracts/process/IncreasePositionProcess.sol#L147

0xELFi02 commented 3 months ago

Also, We have a mechanism for auto reduce position (Auto-Deleveraging, ADL)

WangSecurity commented 2 months ago

Since this issue is a duplicate of #235, planning to also duplicate it with #72, as well as #235. @nevillehuang could you verify?