.svg)
.png)
LeverageX is a decentralized platform allowing users to open highly leveraged positions of up to 150x on multiple financial assets such as cryptocurrencies, stocks, and forex. Since the protocol is entirely run on smart contracts, it provides transparency and self-custody trading from users' wallets. While the complexity of its mechanics provides these benefits, it also includes potential security flaws.
AuditOne recently manually audited LeverageX's smart contracts. We searched for weaknesses that would undermine the protocol's solvency, integrity, or users' funds. One of several high-severity findings stood out because of its system risk: a bug in the leverage update logic that could be abused to manipulate liquidation prices, risking the protocol becoming insolvent.
The Key Risk: Updating Leverage Past Liquidation Thresholds
Keeping precise liquidation logic in high-leverage systems is essential. The most important bug found exists in the updateLeverage() function in UpdateLeverageUtils.sol. The following is what goes on behind the scenes:
- The user initiates a position with extremely low collateral but extremely high leverage.
- When updateLeverage() is invoked, it invokes _prepareValues() that recalculate internal values such as the liquidation price (liqPrice).
- With such a low collAmount, the