Malicious users will purchase dust amount of options to prevent option sellers from burning their options #473
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-b
primary issue
Highest quality submission among a set of duplicates
Q-12
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_312_group
AI based duplicate group recommendation
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/SemiFungiblePositionManager.sol#L999-L1035
https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/PanopticPool.sol#L836-L847
Vulnerability details
Impact
Option sellers won't be able to close short positions because of existing dust amount of buy, thus might cause a few issues:
Proof of Concept
PanopticPool
contract only allows option sellers to burn entire position size of an option.By using feature/vulnerability, malicious users can buy dust amount of options to prevent option sellers from closing their positions.
Here's a PoC written in Foundry that shows an option seller not being able to close position:
Tools Used
Manual Review, Foundry
Recommended Mitigation Steps
Option sellers should be able to close partial amount of their positions.
Or, only allow to buy meaningful minimum amount of options.
Assessed type
DoS
The text was updated successfully, but these errors were encountered: