Description

When opening a short position, the short pool contract imposes a limit on the amount of principal that can be borrowed. The limit depends on the amount of collateral that is provided by the user opening the position.

The limit is enforced after the swap of principal for collateral is performed, reverting the transaction (and therefore the swap) if the operation is determined to be overleveraged. The openPosition function converts the down payment amount (denominated in terms of the collateral asset) to the corresponding amount of principal that it could buy back, using the same exchange rate at which the borrowed principal was traded for the collateral.

There is a mistake in the formula used to compute the converted down payment amount, in the following line:

uint256 swappedDownPaymentAmount = _request.downPayment * _request.principal / (collateralReceived - _request.downPayment);

The down payment is incorrectly subtracted from collateralReceived, which is a variable containing the amount of collateral received from the swap, not including the down payment.

Impact

The incorrect calculation leads to overestimating the down payment, allowing to borrow with more leverage than intended.

Recommendations

Replace the incorrect calculation with the following.

uint256 swappedDownPaymentAmount = _request.downPayment * _request.principal / collateralReceive);

Remediation

This issue has been acknowledged by Wasabi, and a fix was implemented in commit 0a42697f↗.