'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Zygo Disclosed Report
Audit report Zygo DualDefense AuditIncorrect Funding Fee Accumulator Update During Position Merging
Target
https://github.com/devZygo/zygoAuditHacken
Vulnerability Details
When merging two positions, the protocol incorrectly updates the old position’s accFundingFeePerSize (the cumulative funding fee rate) to the new position’s stored value instead of the current global funding fee state. This allows attackers to exploit stale funding rate data, leading to systematic undercharging or overcharging of funding fees.
Impact
Protocol/User Fund Loss: Attackers can arbitrage the discrepancy between stale and current funding rates to drain protocol funds or unfairly profit.
Permanent Financial Imbalances: Incorrect fee calculations create unrecoverable losses for LPs or traders.
Validation steps
Setup:
Deploy the PerpDex contract.
Open two positions:
- Position A (Alice): accFundingFeePerSize = 100
- Position B (Bob): accFundingFeePerSize = 200 (opened after a funding rate update).
Exploit:
Trigger a funding rate update (e.g., via market volatility), setting the global accFeePerSize to 300.
Merge Position A and B. Observe:
oldPosition.accFundingFeePerSize = newPosition.accFundingFeePerSize; // Sets to 200 instead of 300
Calculate Fees:
After merging, the funding fee for the merged position is computed as:
fee = size * (currentAccFeePerSize - mergedAccFeePerSize) // 300 - 200 = 100
- Expected Fee: 300 - 100 = 200 (using Position A’s original rate).
- Actual Fee: 100 (due to incorrect update).
Result:
-
Protocol loses 100 units of fees per merged position.
-
Attacker gains 100 units of profit.
Proof of Concept (PoC) Scenario
Actors:
- Alice: Legitimate trader with Position A.
- Bob: Attacker exploiting the bug.
Steps:
- Initial State:
Global accFeePerSize = 100.
Alice opens Position A (accFundingFeePerSize = 100).
- Funding Rate Increase:
Market conditions push accFeePerSize to 200.
- Bob’s Action:
Opens Position B (accFundingFeePerSize = 200).
Merges Position B with Alice’s Position A.
- Post-Merge State:
Merged position’s accFundingFeePerSize is 200 (instead of current global rate 200).
- Second Rate Increase:
Global accFeePerSize rises to 300.
- Fee Calculation:
Correct Liability: 300 - 100 = 200.
Actual Liability: 300 - 200 = 100.
- Outcome:
Protocol loses 100 units per merged position.
Bob profits by avoiding 100 units of fees.
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (4) 
