Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Wrong logic when depositCreditForMarket

ChainDefenders

Summary

When calling depositCreditForMarket, the engine can deposit USD, USDC, or another asset. If the deposited asset is USDC, the function settleCreditDeposit is triggered. However, this function incorrectly decreases realizedDebtUsdPerVaultShare, even when the credit is not actually settled.

Vulnerability Details

The settleCreditDeposit function is responsible for updating the USDC credit per vault share and adjusting the realized debt per vault share.
When USDC is deposited, the function incorrectly reduces realizedDebtUsdPerVaultShare, even though no actual credit settlement has occurred.
This can lead to incorrect debt calculations, making it appear as if debt has been reduced when, in reality, it has not.

Impact

Incorrect debt reduction – The system incorrectly assumes that some of the debt has been settled.
Risk of over-crediting – The system might allow excess credit, based on an incorrect assumption of available funds.

Tools Used

Manual review

Recommendations**

To ensure that realizedDebtUsdPerVaultShare is only adjusted when a valid settlement occurs, update the settleCreditDeposit function as follows:

function settleCreditDeposit(Data storage self, address settledAsset, UD60x18 netUsdcReceivedX18) internal {

// removes the credit deposit asset that has just been settled for usdc

self.creditDeposits.remove(settledAsset);

// calculate the usdc that has been accumulated per usd of credit delegated to the market

UD60x18 addedUsdcPerCreditShareX18 = netUsdcReceivedX18.div(ud60x18(self.totalDelegatedCreditUsd));

// add the usdc acquired to the accumulated usdc credit variable

self.usdcCreditPerVaultShare =

ud60x18(self.usdcCreditPerVaultShare).add(addedUsdcPerCreditShareX18).intoUint128();

// deduct the amount of usdc credit from the realized debt per vault share only if it's a valid settlement

+ if (settledAsset != address(0)) {

self.realizedDebtUsdPerVaultShare = sd59x18(self.realizedDebtUsdPerVaultShare)

.sub(addedUsdcPerCreditShareX18.intoSD59x18())

.intoInt256()

.toInt128();

+ }

}

Updates

Lead Judging Commences

inallhonesty Lead Judge

6 months ago

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.