F-2025-0013·error-handling

Missing position existence check leads to misleading errors

Acknowledgedstakingnft-boostrewards
TL;DR

closePosition does not validate positionId before accessing it; passing an out-of-range id yields a confusing 'Only position creator may modify position' error.

Severity
INFO
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

In the closePosition function, there is no validation that the positionId exists before accessing it:

solidity
function closePosition(uint positionId) external nonReentrant {
    Position storage position = positions[positionId];


    require(position.walletAddress == msg.sender, "Only position creator may modify position");
    require(position.open == true, "Position is already closed");
    // ...
}

If a user provides a positionId >= currentPositionId, the position will be empty (all fields zero-initialised). This leads to a misleading error message: if msg.sender is rightfully trying to close his position but entered the wrong positionId, they see "Only position creator may modify position".

03Section · Recommendation

Recommendation

Add an explicit existence check at the start of the function:

solidity
require(positionId < currentPositionId, "Position does not exist");
ZEALYNX SECURITY · published 2025-05-19
F-2025-0013

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx