search

zlsecure3 / review_Aark

0 stars 0 forks source link

handling of `MarketStatus.FORBIDDEN` is unsound in `FuturesLogic::getDeleverageObject()` function #33

Open zlsecure3 opened 1 year ago

zlsecure3 commented 1 year ago

subject

handling of MarketStatus.FORBIDDEN is unsound in FuturesLogic::getDeleverageObject() function

description

        if (marketConfig.getStatus() != DataTypes.MarketStatus.FORBIDDEN) {
            require(absSkewness > skewnessSoftCap);
            require(isLongSkewed == positionSide);

            orderQty = Math.min(absSkewness - skewnessSoftCap, orderQty);
        }

If marketConfig.getStatus() == DataTypes.MarketStatus.FORBIDDEN, the above require statement won't be check, which means it's possible that the sknewness becomes even larger or absSkewness has not overceeded skewnessSoftCap.

And the comment of deleverage says deleverage is supposed to be called when the market is FORBIDDEN, which doesn't match the implementation.

recommendation

Make the comment and implementation consistent.

locations

severity

Medium

damage

exploitability

category

Logical

system_generated: auditor:alansh submission_id:1772394099

zlsecure3 commented 1 year ago

grading (edit)

submission_id:1772394099

review_type:GRADING

result: TBD-yes,no

rating: TBD-123

comment: TBD-Rejected,Accepted by Secure3.

severity: TBD-Critical,Medium,Low,Informational

category:

description:

zlsecure3 commented 1 year ago

client feedback (manual copy)

submission_id:1772394099

review_type:CLIENT_FEEDBACK

result: TBD-yes,no

severity: TBD-Critical,Medium,Low,Informational

comment:

zlsecure3 commented 1 year ago

client feedback decision(edit)

submission_id:1772394099

review_type:CLIENT_FEEDBACK_DECISION

result: TBD-yes,no,yes-honored,no-honored

severity: TBD-Critical,Medium,Low,Informational

comment: