#0x04

Jupiter Perpetuals: Fee Denomination Mismatch in get_close_amount()

@jbell92submitted a report toJupiterMarch 17, 2026 at 20:40

Severity	INFORMATIONAL
CVSS	8.6`CVSS:3.1/AV:N/AC:L/UI:N/C:H/A:L/I:L/S:U/PR:N`
Vulnerability Type	Use of Broken or Risky Cryptographic Algorithm
Asset	*.jup.ag - Jupiter Domain

Description

Jupiter Perpetuals: Fee Denomination Mismatch in get_close_amount() Severity: HIGH Summary

In pool.rs::get_close_amount(), the exit_fee is computed in the trading token's native units (SOL lamports, 9 decimals) but subtracted directly from locked_amount which is denominated in collateral token units (USDC, 6 decimals). For SOL shorts at $85, this causes an 11.76x overcharge on exit fees, silently consuming trader profit via saturating_sub.

The opening fee path correctly converts between denominations (open_position.rs lines 246-249), but the closing path does not. Vulnerability Details

File: programs/perpetuals/src/state/pool.rs, function get_close_amount() Root Cause

// get_close_amount() computes exit_fee in TRADING TOKEN units: let size = token_price.get_token_amount(position.size_usd, custody.decimals)?; // For SOL: size = $10K / $85 * 1e9 = 117,647,058,824 lamports

let exit_fee = pool.get_exit_fee(size, custody)?; // exit_fee = 117,647,058,824 * 10/10000 = 117,647,059 (SOL lamports)

// Then subtracts it from locked_amount which is in COLLATERAL (USDC) units: let close_amount = math::checked_sub(locked_amount, exit_fee)?; // locked_amount is in USDC micros (6 decimals) // exit_fee is in SOL lamports (9 decimals) // 117,647,059 interpreted as USDC = $117.65 instead of correct $10.00

Correct Conversion in open_position.rs (for comparison)

// Lines 246-249: opening fee IS properly converted let fee_amount_usd = token_ema_price.get_asset_amount_usd(fee_amount, custody.decimals)?; fee_amount = collateral_token_ema_price .get_token_amount(fee_amount_usd, collateral_custody.decimals)?;

The closing path in get_close_amount() skips this conversion entirely. Affected Code Paths

close_position → get_close_amount() → exit fee calculation liquidate → get_close_amount() → liquidation fee calculation

Overcharge Factor by Token/Price Token Price Overcharge Factor SOL $85 11.76x SOL $150 6.67x SOL $50 20x wBTC $90K ~0.001x (under) wETH $3K ~0.33x (under)

For tokens where native decimals (9) > collateral decimals (6), fees are over-subtracted. SOL is the most traded asset and is systematically overcharged. Impact

Direct financial loss to traders closing profitable SOL short positions:

For a $10K SOL SHORT opened at $85, closed at $75:

Expected profit: $1,176.47 Expected exit fee: $10.00 (0.1% of $10K) Actual exit fee charged: $117.65 (11.76x overcharge) Net profit stolen: all $1,176.47 (saturating_sub zeroes it)

The saturating_sub prevents revert, so the overcharge is silent — traders receive less than expected with no error or warning.

At scale with Jupiter's daily volume (~$200M+), this represents significant ongoing value extraction from short traders. Proof of Concept

Full on-chain PoC using solana-test-validator with the reference implementation binary. 9/9 tests pass. Test Flow

Deploy perpetuals program via --upgradeable-program Initialize: admin, pool ("TestPool"), SOL custody (virtual), USDC custody (stable) Set custom oracles: SOL=$85, USDC=$1 Add $500K USDC liquidity Open SOL SHORT: 117.6 SOL size (~$10K), $10K USDC collateral Wait for new block (profit requires curtime > open_time) Move SOL oracle to $75 Close position → receive exactly $10,000.00 back (zero profit)

Expected: $10K collateral + $1,176 profit - $10 fee = $11,166 Actual: $10K collateral + $0 net = $10,000 (all profit consumed by overcharged fee) Output

═══════════════════════════════════════════════ FINDING 1: Fee Denomination Mismatch (get_close_amount) ═══════════════════════════════════════════════ Position: SOL SHORT, $10K size, entry $85, exit $75 Expected profit: (85-75)/85 × $10K = $1,176.47 Expected fee: 0.1% × 117.6 SOL → convert to USDC → $10.00 ──────────────────────────────────────────────── Buggy fee path (get_close_amount): exit_fee = 117,647,058,824 × 10/10000 = 117,647,059 (SOL lamports) BUT: subtracted from locked_amount in USDC micros! 117,647,059 interpreted as USDC = $117.65 (11.76x overcharge) ──────────────────────────────────────────────── Collateral deposited: $10,000.00 + opening fee Received back: $10,000.00 Net profit: $0.00 Expected net profit: $1,166.47 ($1,176.47 - $10 correct fee) Profit stolen by bug: $1,166.47 ═══════════════════════════════════════════════

How to Reproduce

1. Clone the reference implementation

git clone https://github.com/julianfssen/jupiter-perpetuals cd jupiter-perpetuals

2. Build the program binary

cargo build-sbf --features test

3. Generate admin keypair

solana-keygen new -o admin.json --no-bip39-passphrase

4. Start local validator with the program

solana-test-validator
--upgradeable-program Bmr31xzZYYVUdoHmAJL1DAp2anaitW8Tw9YfASS94MKJ
target/deploy/perpetuals.so
admin.json
--ledger /tmp/test-ledger --quiet &

5. Run the PoC

cd npm install npx ts-mocha -p tsconfig.json -t 120000 tests/onchain-exploit.ts

References

programs/perpetuals/src/state/pool.rs — get_close_amount() function programs/perpetuals/src/instructions/open_position.rs lines 246-249 (correct conversion) programs/perpetuals/src/instructions/close_position.rs — calls get_close_amount() Reference repo: https://github.com/julianfssen/jupiter-perpetuals

here is a fine-grained PAT to the github repo with all relevant information. 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

Steps to Reproduce

1. Clone the reference implementation

git clone https://github.com/julianfssen/jupiter-perpetuals cd jupiter-perpetuals

2. Build the program binary

cargo build-sbf --features test

3. Generate admin keypair

solana-keygen new -o admin.json --no-bip39-passphrase

4. Start local validator with the program

solana-test-validator
--upgradeable-program Bmr31xzZYYVUdoHmAJL1DAp2anaitW8Tw9YfASS94MKJ
target/deploy/perpetuals.so
admin.json
--ledger /tmp/test-ledger --quiet &

5. Run the PoC

cd npm install npx ts-mocha -p tsconfig.json -t 120000 tests/onchain-exploit.ts

References

here is a fine-grained PAT to the github repo with all relevant information.

Impact

This causes direct financial loss to traders closing profitable SOL positions. Expected: $10K collateral + $1,176 profit - $10 fee = $11,166 Actual: $10K collateral + $0 net = $10,000 (all profit consumed by overcharged fee) Output

Thank you,

Jamie J. Bell 17153080880 [email protected]

Attachments (1)

jupiter-fee-mismatch-master.zip

application/zip

Activity

@jbell92commented.

Mar 18

Your report says CVSS as not required, yet it forces one to fill it out in order to progress.

@raccoonscommented.

Mar 18

Hi @jbell92, Thanks for your report. We are currently validating the findings and will get back to you shortly.

@raccoonschanged the status toNeeds More Info

Mar 18

Hello @jbell92, The repository referenced in the report appears to be either inaccessible (404 error) or private: https://github.com/julianfssen/jupiter-perpetuals. Could you please provide additional information regarding this repository? How did you acquire access to this code?

@jbell92changed the status toNew

Mar 18

I was asked to resubmit under the new bug bounty program as these were with Raccoon Labs under the previous bug bounty program. I have the full mainnet cloned still. Perhaps it was merged into the main?

@raccoonsclosed the report asInformative

Mar 20

Hi @jbell92, Thanks for clarifying. I’ve checked with our team, and we haven’t implemented any of the functions you mentioned in the code you cloned. I’m closing this report as informative. We appreciate you reaching out to report this. We look forward to more reports from you. Jupiter Security Team

@raccoonschanged the severity fromhightoinformational

Mar 23

@raccoonsdisclosed this reportPublic Disclosure

4d ago

Properties

Status

INFORMATIVE

Severity

INFORMATIONAL

Reporter

@jbell92

Program

Jupiter