Lines of code

Vulnerability details

Impact

Providing marginTo when opening position will not increase premium but be stolen by MeV.

This can be mitigated by providing amountOutMin in swap params but the protocol should guarantee proper swap.

Proof of Concept

When opening a position a borrower can supply marginTo/From to increase their premium. So that their position doesn’t immediately go under water when any trading happens.

marginTo doesn’t work as intended though, it is used to calculate amountToMinimum when swapping (underflow handled in other issue):

ParticlePositionManager::openPosition:

File: contracts/protocol/ParticlePositionManager.sol

212:            collateralTo - cache.amountToBorrowed - params.marginTo, // amount needed to meet requirement

Which is used to guarantee that enough tokens are received when swapping:

Base::swap:

File: contracts/libraries/Base.sol

65:        if (amountReceived < amountToMinimum) revert Errors.InsufficientSwap();

The issue is that the more marginTo a user provides, the less the protocol expects out of the swap. This will be picked up by bots and exploited. The marginTo will get “eaten” and only amountToMinimum will be left after the swap. Hence any premium the user thought they’d get from providing marginTo is lost to MeV.

Tools Used

Manual audit

Recommended Mitigation Steps

Consider not counting marginTo towards expected output from the swap. As shown in another issue, there are further problems with this. marginTo is the premium for the “to”-side of the position. Hence should not be part of the expected output of the swap as it is the safety for the position.

Assessed type

MEV

---

The text was updated successfully, but these errors were encountered:

All reactions