Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Wrong values of newly added `vault`

ChainDefenders

Summary

When a new vault is added for a market, a CreditDelegation struct is created for each tuple of Market and Vault. Initially, all values in the CreditDelegation struct are set to 0. This leads to a significant issue because, currently, when the values of CreditDelegation are 0, they can only be updated if there is some WETH available for distribution. If no WETH is available, the debt for the vault will not be distributed until any WETH becomes available. On the other hand if there is a WETH available at the beginning, the protocol will try to distrbute share of it to the vault, even if it joins now. This happens because the calculation involves subtracting wethRewardPerVaultShare - lastVaultDistributedWethRewardPerShareX18, and lastVaultDistributedWethRewardPerShareX18 is initially 0.

Vulnerability Details

The issue arises in the debt distribution mechanism for new vaults. When a new vault is added, the CreditDelegation struct is initialized with default values of 0. The debt distribution logic relies on the difference between wethRewardPerVaultShare and lastVaultDistributedWethRewardPerShareX18. Since lastVaultDistributedWethRewardPerShareX18 is 0 initially, the system will attempt to distribute all WETH accumulated since the market's inception. This can lead to incorrect debt calculations and unfair distribution of rewards.

Key Points:

Initialization Issue: New vaults start with lastVaultDistributedWethRewardPerShareX18 = 0.
Debt Distribution: Debt is only distributed when WETH is available, and the calculation uses wethRewardPerVaultShare - lastVaultDistributedWethRewardPerShareX18.
Accumulated Debt: If WETH is not available initially, debt will not be distributed until WETH becomes available. When it does, the system will attempt to distribute all debt from the begging, leading to incorrect calculations.

Impact

Incorrect Debt Accumulation: Debt for new vaults will not be accumulated until WETH is available for distribution.
Wrong totalCreditCapacity: The totalCreditCapacity of vaults will be computed incorrectly, leading to inaccurate debt calculations.
Unfair Distribution: Vaults added later may receive an unfair share of rewards due to the accumulation of WETH from the beginning of the market.

Tools Used

Manual review

Recommendations

To fix this issue, ensure that the CreditDelegation struct is correctly initialized when a new vault is added. Specifically, set lastVaultDistributedWethRewardPerShareX18 to the current wethRewardPerVaultShare at the time of vault creation. This will prevent the system from attempting to distribute all accumulated WETH from the beginning of the market.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

When a newly vault is connected its `lastVaultDistributedWethRewardPerShare` starts at 0, allowing it to claim all historical WETH rewards

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.