Jovial Ocean Elk - Incorrect use of nagative values in maintained() and margined() function in Position.sol
#58
Labels
Sponsor Disputed
The sponsor disputed this issue's validity
Comments
sherlock-admin3
added
the
Sponsor Disputed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Jovial Ocean Elk
High
Incorrect use of nagative values in
maintained()andmargined()function inPosition.solSummary
The
maintained()andmargin()functions wrongly handle negative collateral values making a path for undercollateralized positions to appear solvent.Vulnerability Details
https://github.com/sherlock-audit/2025-01-perennial-v2-4-update/blob/main/perennial-v2/packages/core/contracts/types/Position.sol#L211-L217https://github.com/sherlock-audit/2025-01-perennial-v2-4-update/blob/main/perennial-v2/packages/core/contracts/types/Position.sol#L242-L250maintained()andmargin()functionscollateral is stored as
Fixed6which issignedbut later converted toUFIXED6which isunsignedusingUFixed6Lib.unsafeFrom(collateral).The negative values are wrapped around to large set of numbers due to two representation
-100→2^256 - 100which will cause the check to return true for negative collateral.Impact
Malicious users can maintain positions with negative collaterals bypassing solvency checks.
Malicious actors can also borrow funds without collateralizing.
Tools Used
Manual review.
Recommendations
Revert or return false if collateral is negative unless position is empty.
The text was updated successfully, but these errors were encountered: