Fast Cerulean Armadillo
Medium
The system's option fee calculation function lacks proper validation between the strikePrice and strikePercent parameters. Users can manipulate these inputs by setting a high strikePercent to reduce the option fee while selecting a low strikePrice to retain most of the collateral's upside potential
The function calculateOptionPrice calculates the fee using strikePercent, while the deposited collateral's valuation is determined by strikePrice. There is no validation ensuring consistency between these two parameters.
function deposit(
IBorrowing.BorrowLibDeposit_Params memory libParams,
IBorrowing.BorrowDepositParams memory params,
IBorrowing.Interfaces memory interfaces,
mapping(IBorrowing.AssetName => address assetAddress) storage assetAddress
) public returns (uint256) {
//
// Call calculateOptionPrice in options contract to get options fees
uint256 optionFees = interfaces.options.calculateOptionPrice(
libParams.ethPrice,
params.volatility,
params.depositingAmount,
params.strikePercent
);
//
// Update the borrower details for this index
depositDetail.normalizedAmount = uint128(normalizedAmount);
depositDetail.strikePrice = params.strikePrice * uint128(params.depositingAmount);
}No response
No response
- A user selects a high strikePercent, reducing the calculated option fee.
- Simultaneously, the user chooses a low strikePrice, securing a higher collateral value.
- In a market increase, the user's upside is protected using the low strikePrice.
- The user benefits from minimized fees due to the unrelated strikePercent value.
The protocol could lose significant revenue from reduced fees.
No response
Implement a validation mechanism to ensure consistency between strikePrice and strikePercent.