`rebalanceVaultAssets` will not work correctly
Summary
During the rebalanceVaultsAssets function, there is a mechanism to swap underlying vault assets for USDC. However, an issue exists where getExpectedOutput returns an estimated value of funds needed from vault assets to obtain an exact amount of USDC. This estimate does not account for the final result of executeSwapExactInputSingle, leading to potential inconsistencies.
Vulnerability Details
The current implementation does not store the actual output of executeSwapExactInputSingle. Instead, it assumes the expected value is correct. Since slippage and liquidity variations can cause deviations, failing to use the actual value can lead to incorrect updates in the vaults’ financial state.
Impact
If there is a discrepancy between the estimated and actual output values, the contract may not have sufficient funds to cover the changes. This could result in miscalculations in the vaults’ balances, potentially leading to financial losses or failure in executing settlements.
Recommendations
To mitigate this issue, refactor the code to capture the actual swapped amount before proceeding with further calculations.
Lead Judging Commences
`CreditDelegationBranch::rebalanceVaultsAssets` doesn't take DEX swap slippage into consideration when swapping debt vault's collateral asset to credit vault's usdc
he rebalanceVaultsAssets function in CreditDelegationBranch.sol updates vault accounting using the pre-swap USD value (usdDelta) rather than the actual post-swap USDC amount received. This means slippage is not accounted for, causing accounting misalignment - if there's negative slippage, the credit vault gets credited more USDC than actually received; if there's positive slippage, it gets credited less.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.