Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Ostium>Critical findings>Traders can increase collateral without paying more tokens
GeneralOverview
Findings
Critical (2)Traders can increase collateralOrder ID reuse due to multiple `PriceUpkeeps`
High (3)
Medium (6)
Low (6)
Informational (2)
DiscussionRemoval of trading pairs is not supportedIncorrect last updated block number for TP and SLTradeUtils used as a library for address
Threat ModelWhat are threat models?Delegatable.solOstiumOpenPnl.solOstiumTrading.solOstiumVault.sol
Audit ResultsSummary
Category: Business Logic

Traders can increase collateral without paying more tokens

Critical Severity
Critical Impact
High Likelihood

Description

The function topUpCollateral can be used by traders to increase the collateral size of their trades. It increases the trade's collateral value while reducing leverage to maintain the same tradeSize. Notably, the function does not deduct these new tokens from the user's account. Consequently, a user can increase their collateral size of the trade without incurring extra token cost.

function topUpCollateral(uint16 pairIndex, uint8 index, uint256 topUpAmount) external notDone {
    // [...]
    uint256 tradeSize = t.collateral * t.leverage / 100;
    t.collateral += topUpAmount;
    t.leverage = (tradeSize * PRECISION_6 / t.collateral / 1e4).toUint32();

    if (t.leverage < pairsStorage.pairMinLeverage(t.pairIndex)) {
        revert WrongLeverage(t.leverage);
    }

    storageT.updateTrade(t);

    emit TopUpCollateralExecuted(sender, pairIndex, index, topUpAmount, t.leverage);
}

Impact

A user can increase their collateral size without paying the tokens needed to increase the size.

Recommendations

Add the relevant code to transfer the topUpAmount from the user's address to storageT.

Remediation

This issue has been acknowledged by Ostium Labs, and a fix was implemented in commit db8d5a4a.

Zellic © 2024Back to top ↑