Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

`settleVaultsDebt` will not be able to swap the collateral of a vault

novaman33

Summary

Both settleVaultsDebt try to swap assets that are not in the MarketMakingEngine.

Vulnerability Details

In settleVaultsDebtwe can see that when a vault is in debt it will swap its underlying assets to USDC:

However in the _convertAssetsToUsdc we can see that the MarketMakingEngine will wrongly assume that it stores those assets:

function _convertAssetsToUsdc(

uint128 dexSwapStrategyId,

address asset,

uint256 assetAmount,

bytes memory path,

address recipient,

address usdc

)

internal

returns (uint256 usdcOut)

{

} else {

// approve the asset to be spent by the dex adapter contract

DexSwapStrategy.Data storage dexSwapStrategy = DexSwapStrategy.loadExisting(dexSwapStrategyId);

IERC20(asset).approve(dexSwapStrategy.dexAdapter, assetAmount);

// verify if the swap should be input single or multihop

if (path.length == 0) {

// prepare the data for executing the swap

SwapExactInputSinglePayload memory swapCallData = SwapExactInputSinglePayload({

tokenIn: asset,

tokenOut: usdc,

amountIn: assetAmount,

recipient: recipient

});

// swap the credit deposit assets for USDC and store the output amount

usdcOut = dexSwapStrategy.executeSwapExactInputSingle(swapCallData);

As we can see above the MarketMakingEngine will approve the vault assets to the dexSwapStrategy, however the assets are actually stored in the zlpVault.

As a result all calls to the dexSwapStrategy will revert here:

As the adapters will try to transfer assets from the MarketMakingEngine while they are actually in the zlpVaults.

Impact

Medium - settleVaultsDebt will always revert due to insufficient balance.

Tools Used

Manual Review

Recommendations

Implement a way to fetch the assets from the zlpVault.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

settlevaultsdebt and rebalanceVaultAssets inside CreditDelegationBranch incorrectly swaps tokens from marketmakingengine and not directly from Zlpvault which breaks protocol

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.