search

sherlock-audit / 2024-08-velar-artha-judging

7 stars 3 forks source link

4gontuk - Traders can manipulate spread protection by exploiting position size omission in `api.vy::CONTEXT` #41

Closed sherlock-admin3 closed 1 month ago

sherlock-admin3 commented 1 month ago

4gontuk

Medium

Traders can manipulate spread protection by exploiting position size omission in api.vy::CONTEXT

Summary

The omission of position size in the CONTEXT function will cause a bypass of spread protection for liquidity providers (LPs) as traders will open a small reverse position before their intended larger position, potentially causing financial losses for LPs.

Root Cause

In gl-sherlock/contracts/api.vy, the [CONTEXT function](https://github.com/sherlock-audit/2024-08-velar-artha/blob/main/gl-sherlock/contracts/api.vy#L53-L71) does not consider the size of the new position when calculating the price with the oracle.

Example:

Internal pre-conditions

  1. Trader needs to have sufficient funds to open both a reverse position and the intended larger position.
  2. The pool must have enough liquidity to accommodate both positions.

External pre-conditions

  1. The oracle price needs to remain relatively stable during the execution of both open() calls.

Attack Path

  1. Trader calls open() in api.vy:131-158 to set a small reverse position.
  2. Trader immediately calls open() again to set the intended larger position.

Impact

The LPs suffer an increased risk of financial loss as the spread protection is bypassed, leading to potential manipulation of the trading mechanism. Traders gain an unfair advantage by effectively opening large positions without incurring the appropriate spread, which could result in significant losses for LPs over time.

PoC

  1. Assume the current price of ETH is $2000, and the spread for a 10 ETH position is 0.5%.
  2. A trader wants to open a 10 ETH long position.
  3. Instead of directly opening a 10 ETH long position (which would incur a 0.5% spread), the trader:
    • Opens a 1 ETH short position: 
      ctx: Ctx = self.CONTEXT(ETH, USDC, 2000 * 10**6, 10 * 10**6, payload)
self.CORE.open(1, ETH, USDC, False, 2000 * 10**6, 1, ctx)
    • Immediately opens an 11 ETH long position: 
      ctx: Ctx = self.CONTEXT(ETH, USDC, 2000 * 10**6, 10 * 10**6, payload)
self.CORE.open(1, ETH, USDC, True, 22000 * 10**6, 1, ctx)
  4. The trader effectively opens a 10 ETH long position without incurring the 0.5% spread, saving $100 (0.5% of $20,000) at the expense of LPs.

Mitigation

To mitigate this issue, the CONTEXT function should take into account the size of the new position when calculating the price.

Additionally, the open() function in api.vy should be modified to pass the position size to CONTEXT.

mePopye commented 1 month ago

Escalate

On behalf of the watson

sherlock-admin3 commented 1 month ago

Escalate

On behalf of the watson

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

WangSecurity commented 1 month ago

I don't understand how the issue happen, how does opening two positions in different directions (i.e. both long an short) leads to LPs suffering a loss?

If no answer is provided, planning to reject the escalation and leave the issue as it is.

WangSecurity commented 1 month ago

Result: Invalid Unique

sherlock-admin4 commented 1 month ago

Escalations have been resolved successfully!

Escalation status: