Incorrect credit capacity checks in the `VaultRouterBranch::redeem` allows for over withdraw the vault
Summary
Ther is a flawed credit capacity check in the redeem function that allows users to withdraw more collateral assets than the vault’s available unlocked liquidity. This can drain the vault’s reserves, rendering it insolvent and unable to honor legitimate withdrawal requests.
Vulnerability
flawed code
The condition checks if the withdrawal amount (delta) is ≤ locked credit capacity, not unlocked. This allows withdrawals to exceed unlocked liquidity if delta > lockedCredit.
A Scenario of the flawed vault check
Vault State:
-
Total Credit Capacity: 1,000 USD (assets available).
-
Locked Credit Capacity: 300 USD (reserved for pending withdrawals).
-
Unlocked Credit Capacity: 700 USD (available for immediate withdrawals).
Malicious Redemption:
-
A user attempts to redeem shares worth 800 USD (exceeding the unlocked 700 USD).
-
The flawed check incorrectly approves the withdrawal because 800 <= 300 evaluates to false.
-
The vault transfers 800 USD to the user, overdrawing its liquidity by 100 USD.
Impact
Tools Used
Manual review.
Recommendation
The correct approach should have been recalculating the unlocked credit correctly and ensuring that the redeemed amount doesn't exceed it. The corrected condition should check if the delta (redeemed amount) is greater than the unlocked credit and revert if true.
Lead Judging Commences
The check in VaultRouterBranch::redeem should be comparing remaining capacity against required locked capacity not delta against locked capacity
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.