#0x05

Jupiter Perpetuals: AUM Uses Wrong Custody for Short Position Profits

@jbell92submitted a report toJupiterMarch 17, 2026 at 20:58

Severity	INFORMATIONAL
CVSS	8.6`CVSS:3.1/AV:N/AC:L/UI:N/PR:N/S:U/I:L/A:L/C:H`
Vulnerability Type	Not set
Asset	*.jup.ag - Jupiter Domain
Endpoint	`https://jup.ag/`

Description

In pool.rs::get_assets_under_management_usd(), when computing unrealized PnL for short positions, the function passes the trading token custody (e.g., SOL) as collateral_custody to get_pnl_usd(). For shorts, the actual collateral is USDC. This causes max_profit_usd to be computed using the wrong custody's decimals and price, inflating AUM by undervaluing aggregate short profits. This directly affects LP token pricing via add_liquidity and remove_liquidity. Vulnerability Details

File: programs/perpetuals/src/state/pool.rs, function get_assets_under_management_usd() Root Cause

pub fn get_assets_under_management_usd(...) -> Result { for (idx, &custody_key) in self.custodies.iter().enumerate() { // Iterates positions against this custody let (profit_usd, loss_usd, _) = self.get_pnl_usd( position, &token_price, &token_ema_price, custody, // trading token custody (SOL) &token_price, // WRONG: SOL price passed as collateral price &token_ema_price, // WRONG: SOL EMA passed as collateral EMA custody, // WRONG: SOL custody passed as collateral_custody curtime, false, )?; } }

For short positions, collateral is always USDC (a stablecoin), but this code passes the SOL custody as collateral_custody.

Steps to Reproduce

Inside get_pnl_usd(), collateral_custody is used to compute max_profit_usd:

let max_profit_usd = min_collateral_price .get_asset_amount_usd(position.locked_amount, collateral_custody.decimals)?;

locked_amount is stored in USDC units (6 decimals) — e.g., 10,000,000,000 for $10K
With correct USDC custody (6 decimals): 10,000,000,000 / 1e6 * $1 = $10,000 ✅
With wrong SOL custody (9 decimals): 10,000,000,000 / 1e9 * $85 = $850 ❌

The max_profit_usd is capped at $850 instead of $10,000 — a ~12x underestimate.

Additionally, collateral_custody.is_virtual triggers a special code path that uses a $1 reference price:

let min_collateral_price = if collateral_custody.is_virtual { // Uses $1 reference price for virtual custody OraclePrice { price: 10u64.pow(USD_DECIMALS), exponent: -(USD_DECIMALS) } } else { collateral_token_price.get_min_price(...) };

When SOL custody (virtual=true) is wrongly passed, this uses $1/SOL instead of $1/USDC, further distorting the calculation. Impact on AUM

Short profits are undervalued → AUM appears larger than reality
add_liquidity: LPs receive fewer LP tokens per dollar (pool overvalued)
remove_liquidity: LPs receive more dollars per LP token burned (draining pool)
Net: systematic value leakage from pool to LP removers during SOL price declines

Quantification

Per $10K aggregate short profit at SOL=$85:

Correct AUM reduction: -$10,000
Actual AUM reduction: -$850 (12x too small)
AUM overstatement: ~$9,150 per $10K short profit

With Jupiter's $100M+ TVL and significant short OI, this causes material LP token mispricing during volatile periods.

Impact

Per $10K aggregate short profit at SOL=$85:

Correct AUM reduction: -$10,000
Actual AUM reduction: -$850 (12x too small)
AUM overstatement: ~$9,150 per $10K short profit

With Jupiter's $100M+ TVL and significant short OI, this causes material LP token mispricing during volatile periods.

When SOL custody (virtual=true) is wrongly passed, this uses $1/SOL instead of $1/USDC, further distorting the calculation. Impact on AUM

Short profits are undervalued → AUM appears larger than reality
add_liquidity: LPs receive fewer LP tokens per dollar (pool overvalued)
remove_liquidity: LPs receive more dollars per LP token burned (draining pool)
Net: systematic value leakage from pool to LP removers during SOL price declines

For the full PoC, here is a private, fine-tuned PAT for my repo showing everything in the event the zipped file of everything doesn't show everything. the PAT is good for 1 week starting from today. https://github.com/Mcfuzzlez/jupiter-aum-miscalc.git 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

Thank you,

Jamie J. Bell 17153080880 [email protected]

Attachments (1)

jupiter-aum-miscalc-master.zip

application/zip

Activity

@raccoonscommented.

Mar 18

Hi @jbell92, Thanks for your report. We are currently validating the findings and will get back to you shortly.

@raccoonsclosed the report asNot Applicable

Mar 22

Hi jbell92, thank you for the report. however, we have reviewed the details and determined that this behavior is intended or does not pose a clear security risk to our users. As this does not qualify as a vulnerability under our program policy, we are closing this report as Not Applicable. We appreciate your interest in our security and look forward to your future submissions.

@raccoonschanged the severity fromhightoinformational

Mar 23

@raccoonsdisclosed this reportPublic Disclosure

4d ago

@raccoonschanged the vulnerability type fromnonetonone

3d ago

Properties

Status

Not Applicable

Severity

INFORMATIONAL

Reporter

@jbell92

Program

Jupiter