Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Incorrect Swap Direction in settleVaultsDebt Function

mrxsnowden

Summary

The settleVaultsDebt function in the smart contract is responsible for resolving the debt or credit of specified vaults by swapping assets to USDC or vice versa. However, a critical issue exists where the parameters passed to the calculateSwapAmount function are inverted during both the debt and credit handling cases. This results in incorrect swap directions, leading to improper settlement of debts and credits, which could potentially cause protocol insolvency.

Vulnerability Details

The settleVaultsDebt function operates as follows:

1- Recalculate Credit Capacity : Updates the credit capacity of the specified vaults.

2- Iterate Through Vaults : For each vault, it calculates the unsettled realized debt (ctx.vaultUnsettledRealizedDebtUsdX18) and determines whether the vault is in debt (negative debt) or credit (positive debt).

3- Debt Case :
Swaps the vault's collateral asset to USDC to cover the debt.

4- Credit Case :
Swaps the vault's deposited USDC to its underlying collateral asset to resolve the credit.

Issue Description

The issue arises in the calculateSwapAmount function calls:

1- Debt Case : The parameters are inverted, attempting to swap USDC for the vault asset instead of the intended vault asset for USDC.
2- Credit Case : Similarly, the parameters are inverted, leading to unintended swaps.

How calculateSwapAmount Works ?
The calculateSwapAmount function calculates the required input of assetIn to receive a desired output of assetOut :

function calculateSwapAmount(

address dexAdapter,

address assetIn,

address assetOut,

uint256 vaultUnsettledDebtUsdAbs

// Debt Case (Incorrect Swap Direction)

ctx.swapAmount = calculateSwapAmount(

dexSwapStrategy.dexAdapter,

ctx.usdc, // Incorrect: assetIn = USDC

ctx.vaultAsset, // Incorrect: assetOut = vaultAsset

usdcCollateralConfig.convertSd59x18ToTokenAmount(ctx.vaultUnsettledRealizedDebtUsdX18.abs())

);

// Credit Case (Incorrect Swap Direction)

ctx.usdcIn = calculateSwapAmount(

dexSwapStrategy.dexAdapter,

ctx.vaultAsset, // Incorrect: assetIn = vaultAsset

ctx.usdc, // Incorrect: assetOut = USDC

usdcCollateralConfig.convertSd59x18ToTokenAmount(ctx.vaultUnsettledRealizedDebtUsdX18.abs())

);

Impact

1- Incorrect Debt Resolution : When a vault is in debt, the function attempts to swap USDC for the vault asset instead of the vault asset for USDC. This leads to insufficient USDC being acquired to settle the debt, resulting in unresolved debt.
2- Improper Credit Handling : When a vault is in credit, the function attempts to swap the vault asset for USDC instead of USDC for the vault asset. This results in insufficient collateral being acquired, leaving the credit unsettled.
3- Potential Protocol Insolvency : If debts are not resolved correctly, the protocol may become insolvent, as the system relies on accurate settlement of debts and credits to maintain balance.

Tools Used

foundry

Recommendations

Reverse the parameters in the calculateSwapAmount function calls to ensure the correct swap direction.

Updates

Lead Judging Commences

inallhonesty Lead Judge

7 months ago

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.