Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

`getTotalCreditCapacityUsd` Does Not Support Low Decimals

ChainDefenders

Summary

In Vault there is a function getTotalCreditCapacityUsd used to fetch the vault's total credit capacity allocated to the connected markets. However, currently it doesn't support low decimal tokens.

Vulnerability Details

function getTotalCreditCapacityUsd(Data storage self) internal view returns (SD59x18 creditCapacityUsdX18) {

// load the collateral configuration storage pointer

Collateral.Data storage collateral = self.collateral;

// fetch the zlp vault's total assets amount

UD60x18 totalAssetsX18 = ud60x18(IERC4626(self.indexToken).totalAssets());

// calculate the total assets value in usd terms

UD60x18 totalAssetsUsdX18 = collateral.getAdjustedPrice().mul(totalAssetsX18);

// calculate the vault's credit capacity in usd terms

creditCapacityUsdX18 = totalAssetsUsdX18.intoSD59x18().sub(getTotalDebt(self));

}

Let's take a look at this line:

UD60x18 totalAssetsX18 = ud60x18(IERC4626(self.indexToken).totalAssets());

If our indexToken has decimals less than 18 then the whole calculation will be wrong.

Let's have the following scenario:

indexToken has 6 decimals.
The total assets are 10 tokens.
totalAssetsX18 will be 10e6.
The function will return the value in 6 decimals and not the desired 18.

Impact

Wrong credit capacity calculation will lead to wrong checks performed in VaultRouterBranch::redeem which in itself will lead to the check for unlocked credit capacity not working.

Tools Used

Manual Review

Recommendations

Convert the IERC4626(vault.indexToken).totalAssets() first to an 18 decimal value before performing the calculation to ensure that all indexTokens with decimals less than or equal to 18 will work correctly.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

`totalAssets()` is not properly scaled to ZAROS precision

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!