Category: Business Logic
The maxAllowedCollateral check could be bypassed using topUpCollateral
Medium Severity
Medium Impact
High Likelihood
Description
The function topUpCollateral can be used by traders to increase the collateral size of their trades. But there is no check in this function to verify if the new collateral size has bypassed the maxAllowedCollateral.
function topUpCollateral(uint16 pairIndex, uint8 index, uint256 topUpAmount) external notDone {
// [...]
uint256 tradeSize = t.collateral * t.leverage / 100;
t.collateral += topUpAmount;
t.leverage = (tradeSize * PRECISION_6 / t.collateral / 1e4).toUint32();
if (t.leverage < pairsStorage.pairMinLeverage(t.pairIndex)) {
revert WrongLeverage(t.leverage);
}
storageT.updateTrade(t);
emit TopUpCollateralExecuted(sender, pairIndex, index,
topUpAmount, t.leverage);
}Impact
The maxAllowedCollateral check could be bypassed, allowing users to increase their collateral size by more than the maximum allowed value.
Recommendations
Add the following check in the topUpCollateral function:
t.collateral += topUpAmount;
t.leverage = (tradeSize * PRECISION_6 / t.collateral / 1e4).toUint32();
+ if (t.collateral > maxAllowedCollateral) {
+ revert AboveMaxAllowedCollateral();
+ }Remediation
This issue has been acknowledged by Ostium Labs, and a fix was implemented in commit db8d5a4a↗.