Skip to content
This repository has been archived by the owner on Feb 18, 2024. It is now read-only.

WATCHPUG - _accumulateFunding() maker will get the wrong amount of funding fee. #139

Open
sherlock-admin opened this issue Aug 15, 2023 · 4 comments
Open

WATCHPUG - _accumulateFunding() maker will get the wrong amount of funding fee. #139

sherlock-admin opened this issue Aug 15, 2023 · 4 comments
Labels
Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Aug 15, 2023
edited
Loading

WATCHPUG

high

_accumulateFunding() maker will get the wrong amount of funding fee.

Summary

Vulnerability Detail

The formula that calculates the amount of funding in Version#_accumulateFunding() on the maker side is incorrect. This leads to an incorrect distribution of funding between the minor and the maker's side.

// Redirect net portion of minor's side to maker
if (fromPosition.long.gt(fromPosition.short)) {
    fundingValues.fundingMaker = fundingValues.fundingShort.mul(Fixed6Lib.from(fromPosition.skew().abs()));
    fundingValues.fundingShort = fundingValues.fundingShort.sub(fundingValues.fundingMaker);
}
if (fromPosition.short.gt(fromPosition.long)) {
    fundingValues.fundingMaker = fundingValues.fundingLong.mul(Fixed6Lib.from(fromPosition.skew().abs()));
    fundingValues.fundingLong = fundingValues.fundingLong.sub(fundingValues.fundingMaker);
}

PoC

Given:

  • long/major: 1000
  • short/minor: 1
  • maker: 1

Then:

  1. skew(): 999/1000
  2. fundingMaker: 0.999 of the funding
  3. fundingShort: 0.001 of the funding

While the maker only matches for 1 of the major part and contributes to half of the total short side, it takes the entire funding.

Impact

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial/contracts/types/Version.sol#L207-L215

Tool used

Manual Review

Recommendation

The correct formula to calculate the amount of funding belonging to the maker side should be:

fundingMakerRatio = min(maker, major - minor) / min(major, minor + maker)
fundingMaker = fundingMakerRatio * fundingMinor
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Aug 18, 2023
@sherlock-admin
Copy link
Contributor Author

2 comment(s) were left on this issue during the judging contest.

141345 commented:

m

panprog commented:

medium because incorrect result only starts appearing if abs(long-short) > maker and the larger the difference, the more incorrect the split of funding is. But this situation is exceptional case, most of the time abs(long-short) < maker due to efficiency and liquidity limits

@sherlock-admin sherlock-admin changed the title Happy Mocha Worm - _accumulateFunding() maker will get the wrong amount of funding fee. WATCHPUG - _accumulateFunding() maker will get the wrong amount of funding fee. Aug 23, 2023
@sherlock-admin sherlock-admin added the Non-Reward This issue will not receive a payout label Aug 23, 2023
@arjun-io arjun-io added Sponsor Confirmed The sponsor acknowledged this issue is valid Disagree With Severity The sponsor disputed the severity of this issue Will Fix The sponsor confirmed this issue will be fixed and removed Disagree With Severity The sponsor disputed the severity of this issue labels Aug 24, 2023
@arjun-io
Copy link

We'd like to re-open this as it does appear to be a valid issue. Medium severity seems correct here

@141345 141345 added Medium A valid Medium severity issue Reward A payout will be made for this issue and removed Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout labels Aug 25, 2023
@141345 141345 reopened this Aug 25, 2023
@arjun-io
Copy link

Fixed: equilibria-xyz/perennial-v2#64

@MLON33 MLON33 mentioned this issue Sep 14, 2023
Open
@MLON33
Copy link

MLON33 commented Sep 14, 2023

From WatchPug,

Fixed alongside with #180.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@arjun-io @141345 @sherlock-admin @MLON33