A rounding error when computing settleAmounts could lead to a small amount of PnL will be lost each time. Since this is a trading protocol, it is expected that there will be users who are active traders or entities that perform high-frequency or algorithmic trading, resulting in the loss accumulating to a significant amount.
Root Cause
Rounding error when computing settleAmounts
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
The settleAmounts is computed based on the following formula:
$\frac{(updatedPrice - openedPrice) quantity}{1e18}$ OR $\frac{(openedPrice - updatedPrice) quantity}{1e18}$
The issue is that in an edge case where the difference between updatedPrice and openedPrice is small, coupled with small quantity (LibQuote.quoteOpenAmount(quote)), the numerator of the equation will be larger than the denominator, leading to settleAmounts being rounded down to zero.
In this case, no PnL is settled to PartyA or PartyB's allocated balance (because settleAmounts is zero) , yet the quote's openedPrice is being updated to the updatedPrice at Line 77 below. When openedPrice is set to updatedPrice, this effectively means that the PnL has settled successfully and users have received the settled PnL to which they are entitled. However, that is not the case here due to rounding error.
A small amount of PnL will be lost each time the rounding error occurs. Since this is a trading protocol, and it is expected that there will be users who are active traders or entities that perform high-frequency or algorithmic trading, resulting in the loss accumulating to a significant amount.
Lost of assets. A small amount of PnL will be lost each time the rounding error occurs. Since this is a trading protocol, it is expected that there will be users who are active traders or entities that perform high-frequency or algorithmic trading, resulting in the loss accumulating to a significant amount.
PoC
No response
Mitigation
Consider reverting the function and skip updating the quote.openedPrice if the settleAmount ends up being zero. If settleAmount is zero, there is also no point proceeding with the rest of the settleUpnl execution since there is nothing to settle anyway (The allocated balance of either PartyA or PartyB will not increase at the end).
xiaoming90
High
Rounding error when computing
settleAmounts
Summary
A rounding error when computing
settleAmounts
could lead to a small amount of PnL will be lost each time. Since this is a trading protocol, it is expected that there will be users who are active traders or entities that perform high-frequency or algorithmic trading, resulting in the loss accumulating to a significant amount.Root Cause
settleAmounts
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
The
settleAmounts
is computed based on the following formula:$\frac{(updatedPrice - openedPrice) quantity}{1e18}$ OR $\frac{(openedPrice - updatedPrice) quantity}{1e18}$
The issue is that in an edge case where the difference between
updatedPrice
andopenedPrice
is small, coupled with small quantity (LibQuote.quoteOpenAmount(quote)
), the numerator of the equation will be larger than the denominator, leading tosettleAmounts
being rounded down to zero.In this case, no PnL is settled to PartyA or PartyB's allocated balance (because
settleAmounts
is zero) , yet the quote'sopenedPrice
is being updated to theupdatedPrice
at Line 77 below. WhenopenedPrice
is set toupdatedPrice
, this effectively means that the PnL has settled successfully and users have received the settled PnL to which they are entitled. However, that is not the case here due to rounding error.A small amount of PnL will be lost each time the rounding error occurs. Since this is a trading protocol, and it is expected that there will be users who are active traders or entities that perform high-frequency or algorithmic trading, resulting in the loss accumulating to a significant amount.
https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/libraries/LibSettlement.sol#L69
Impact
Lost of assets. A small amount of PnL will be lost each time the rounding error occurs. Since this is a trading protocol, it is expected that there will be users who are active traders or entities that perform high-frequency or algorithmic trading, resulting in the loss accumulating to a significant amount.
PoC
No response
Mitigation
Consider reverting the function and skip updating the
quote.openedPrice
if thesettleAmount
ends up being zero. IfsettleAmount
is zero, there is also no point proceeding with the rest of thesettleUpnl
execution since there is nothing to settle anyway (The allocated balance of either PartyA or PartyB will not increase at the end).