Summary

A critical issue exists in the Market::getCreditCapacityUsd function where the total debt is incorrectly added to the delegated credit instead of being subtracted. This results in an overestimation of the credit capacity, which could lead to excessive borrowing, liquidity issues, and potential insolvency.

Vulnerability Details

Affected Code

The bug is in the Market::getCreditCapacityUsd function:
https://github.com/Cyfrin/2025-01-zaros-part-2/blob/35deb3e92b2a32cd304bf61d27e6071ef36e446d/src/market-making/leaves/Market.sol#L197

totalDebtUsdX18 is the addition of realized and unrealized debt and will be positive if the market has debt.

Expected Behavior

The credit capacity should be calculated as:

• If the result is negative, the credit capacity should be set to zero.

Actual Behavior

The credit capacity is calculated as:

• This adds the total debt to the delegated credit, leading to an overestimation of the credit capacity.

Impact

• The function overestimates the credit capacity, allowing markets to borrow more than they should.

• This increases the risk of insolvency and liquidity issues.

• All functions relying on this behavior will be biased; for example getAdjustedProfitForMarketId (https://github.com/Cyfrin/2025-01-zaros-part-2/blob/35deb3e92b2a32cd304bf61d27e6071ef36e446d/src/market-making/branches/CreditDelegationBranch.sol#L147), which should revert when credit capacity is less than or equal to zero, will not.

Tools Used

The bug was identified through a detailed review of the getCreditCapacityUsd function.

Recommendations

Update the formula to subtract the total debt from the delegated credit: