M-02 from past audit not completely fixed. Users can still bypass solvency checks when settling long premium #5
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-19
grade-c
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_primary
AI based primary recommendation
🤖_16_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/PanopticPool.sol#L1552-L1624
Vulnerability details
Impact
A full breakdown of issue M-02 from the previous audit can be found here, but the vulnerability involves because check for duplicate token ids is not implemented, causing that users can settle long premiums for other users when they're insolvent. The affected functions are functions in which the
_validateSolvency
function is used includingsettleLongPremium
,forceExercise
,burnOptions
,liquidate
andmintOptions
. The vulnerability was however mitigated in theliquidate
,forceExercise
,burnOptions
, andmintOptions
causing that it still exists in thesettleLongPremium
function. So solvency checks can be bypassed by users when settling long premium.Proof of Concept
The mitigation involves the check for hash not being more than MAX_POSITIONS, which can be found in the
_updatePositionsHash
function.The
_updatePositionsHash
is used in two places, the_addUserOption
which handles hash in the_mintOptions
function and in the_updatePositionDataBurn
function which is used when burning options. Options are burned upon when force exercising and when liquidating, so that handles the validation.The hash validation is however not done when settling long premium as can be seen by going through the function causing that the issue still exists and not fully mitigated.
Tools Used
Manual code review
Recommended Mitigation Steps
Consider introducing the check in the
settleLongPremium
function.Assessed type
Other
The text was updated successfully, but these errors were encountered: