Part 2

Summary

The current implementation of Vault::recalculateVaultsCreditCapacity recalculates the credit capacity of an array of vaults based on their associated markets. However, a critical issue arises when a vault has no stakers but has a positive vaultTotalWethRewardChangeX18. In such cases, the WETH rewards are lost because there are no stakers to distribute the rewards to.

Vulnerability Details

Scenario

1. recalculateVaultsCreditCapacity is called for Vault A.

2. During the calculations, after iterating through all markets, vaultTotalWethRewardChangeX18 is found to be greater than 0.

3. Since there are no stakers in the vault, the following check skips the reward distribution:

   if (!vaultTotalWethRewardChangeX18.isZero() && self.wethRewardDistribution.totalShares != 0) {

   SD59x18 vaultTotalWethRewardChangeSD59X18 = sd59x18(int256(vaultTotalWethRewardChangeX18.intoUint256()));

   self.wethRewardDistribution.distributeValue(vaultTotalWethRewardChangeSD59X18);

   }

Problem

The issue lies in the fact that even though wethRewards are accounted for in the market engine's credit delegation (which tracks debts, USDC credit, and WETH rewards), the rewards are not distributed if there are no stakers. This results in the loss of rewards for the vault, as there is no mechanism to retain or redistribute them.

Impact

WETH rewards are permanently lost for the vault when there are no stakers to receive them. Funds will be stucked.

Tools Used

Manual code review.

Recommendations

To address this issue, consider the following solutions:

1. Distribute Rewards to Other Vaults:

   • If there are multiple vaults in the same market, distribute the unclaimed rewards proportionally among them.

2. Retain Rewards for Future Stakers:

   • Store the unclaimed rewards in the vault until at least one staker is present. Once a staker joins, distribute the accumulated rewards to them.

Implementing either of these solutions will ensure that rewards are not lost and are fairly distributed to eligible participants.