Skip to content

Latest commit

 

History

History
90 lines (71 loc) · 3.29 KB

005.md

File metadata and controls

90 lines (71 loc) · 3.29 KB

Low Tangerine Cod

High

users will get more funds than suppose due to incorrect strike price logic

Summary

calculateStrikePriceGains uses current eth price which is incorrect

Root Cause

strike price - fixed price at which the holder of an options contract can buy (in the case of a call option) or sell (in the case of a put option) the underlying asset when the option is exercised.

    function calculateStrikePriceGains(
        uint128 depositedAmount,
        uint128 strikePrice,
        uint64 ethPrice
    ) external view onlyBorrowingContract returns (uint128) {
        // Check the input params are non zero
        require(depositedAmount != 0 && strikePrice != 0 && ethPrice != 0,"Zero inputs in options");
        uint64 currentEthPrice = ethPrice;
        // Calculate current deposited ETH value in USD
        uint128 currentEthValue = depositedAmount * currentEthPrice;
        uint128 ethToReturn;
        // If the current value is greater, then user will get eth
        if (currentEthValue > strikePrice) {
            ethToReturn = (currentEthValue - strikePrice) / currentEthPrice;
        } else {
            ethToReturn = 0;
        }
        return ethToReturn;
    }

Blockchain/Blockchian/contracts/Core_logic/Options.sol#L77

            uint128 depositedAmountvalue = (params.depositDetail.depositedAmountInETH * params.depositDetail.ethPriceAtDeposit) / params.ethPrice;
            collateralToReturn = (depositedAmountvalue + params.options.calculateStrikePriceGains(
                        params.depositDetail.depositedAmountInETH,
                        params.depositDetail.strikePrice,
                        params.ethPrice
                    )
                );

Lets calculate: deposit 1ETH, ethprice 1000$, strike price = 1200 later: ethprice - 2000$. depositedAmountvalue = 0.5ETH calculateStrikePriceGains = (1 ether2000- 1ether1200)/2000 = 0.4ETH collateralToReturn = depositedAmountvalue+calculateStrikePriceGains = 0.9ETH.

But calculate using strike price definition: (1ether * 1200/2000) ~ 0.6ETH

so, protocol returning to user more than it should

Internal pre-conditions

External pre-conditions

Attack Path

always happening

Impact

Users withdraw more funds than the protocol expects them to have.

PoC

Mitigation

calculateStrikePriceGains calculates amount to remain in protocol and the rest goes to user

-            collateralToReturn = (depositedAmountvalue + params.options.calculateStrikePriceGains(
-                        params.depositDetail.depositedAmountInETH,
-                        params.depositDetail.strikePrice,
-                        params.ethPrice
-                    )
-                );
+            collateralRemainingInWithdraw = (params.options.calculateStrikePriceGains(
+                params.depositDetail.depositedAmountInETH,
+                params.depositDetail.strikePrice,
+                params.ethPrice
+            ));
+            collateralToReturn = params.depositDetail.depositedAmountInETH - collateralRemainingInWithdraw