Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Wrong implementation of `settleVaultsDebt`

novaman33

Summary

The wrong implementation in settleVaultsDebt will actually make the debt even worse.

Vulnerability Details

In the settleVaultsDebt the following operations are performed for each vault:`

// cache the vault's unsettled debt, if zero skip to next vault\

// amount in zaros internal precision\

ctx.vaultUnsettledRealizedDebtUsdX18 = vault.getUnsettledRealizedDebt();\

if (ctx.vaultUnsettledRealizedDebtUsdX18.isZero()) continue;

// otherwise vault has debt to be settled, cache the vault's collateral asset

ctx.vaultAsset = vault.collateral.asset;

// loads the dex swap strategy data storage pointer

DexSwapStrategy.Data storage dexSwapStrategy =

DexSwapStrategy.loadExisting(vault.swapStrategy.assetDexSwapStrategyId);

// if the vault is in debt, swap its assets to USDC

if (ctx.vaultUnsettledRealizedDebtUsdX18.lt(SD59x18_ZERO)) {

Here we can see that if the vault has an unsettled debt which is less than 0 it is assumed to be in debt. However this is actually wrong since a vault is in debt when the realized debt is more than 0.
As a result vaults that are in credit will swap collateral and increase their credit even more, creating the vaultUnsettledRealizedDebtUsdX18 more negative, while vaults that are in debt, will swap their USDC for collateral which will increase their debt drastically.(here we can see that USDC reduces the debt)

Impact

The debt cannot be settled because of the wrong checks in the function. With the current implementation if the vault is in credit(which means negative debt), the function will further increase its credit:

While if the vault is in debt, it will become in even more debt.

Tools Used

Manual Review

Recommendations

When a vault is in debt, the vaultUnsettledRealizedDebtUsdX18 is actually positive.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Validated

Assigned finding tags:

settleVaultDebt functions in opposite direction because of `ctx.vaultUnsettledRealizedDebtUsdX18.lt(SD59x18_ZERO)` having an inversed comparator (should have been gt)

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.