'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Zygo Disclosed Report
Audit report Zygo DualDefense AuditIncorrect Funding Rate Math will Lead to Loss of User and Protocol Funds
Target
https://github.com/devZygo/zygoAuditHacken
Vulnerability Details
In PerpDex.sol, several sections involving funding rate calculations do not properly account for the fact that the funding rate can be both positive and negative. This oversight leads to incorrect calculations and faulty conditional checks, which in turn results in inaccurate fee assessments and fund transfers. As a consequence, both user balances and protocol funds will be affected, causing financial losses and inconsistencies in accounting.
Validation steps
In Line 720 of PerpDex.sol, the code checks whether the margin is less than the fundingFee. However, since margin is always positive and the fundingFee can be either positive or negative, this check becomes unreliable. When the fundingFee is negative, the condition always evaluates to false, even in cases where it should not. As a result, the function does not return (0, 0) as expected and proceeds to Line 724, leading to incorrect fee calculations.
A similar issue appears on Line 741, where marginAfterFundingFee is calculated as "margin - fundingFee". When fundingFee is negative, this effectively becomes an addition, resulting in inflated values. This miscalculation leads to inaccurate fund and fee transfers, impacting both user balances and protocol accounting.
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (3) 
