Locked Capacity Check Not Working
Summary
The VaultRouterBranch::redeem function is used to redeem a given amount of index tokens in exchange for collateral assets from the provided vault, after the withdrawal delay period has elapsed. In the end it has a check trying to ensure that there is enough unlocked credit capacity of the vault so it doesn't leave it insolvent. However, that check is broken.
Vulnerability Details
The VaultRouterBranch::redeem function is used to redeem a given amount of index tokens in exchange for collateral assets from the provided vault, after the withdrawal delay period has elapsed. In the end it has a check trying to ensure that there is enough unlocked credit capacity of the vault so it doesn't leave it insolvent. However, that check is broken.
Let's have the following situation:
-
creditCapacityBeforeRedeemUsdX18is 50000 -
vault.getTotalCreditCapacityUsd()is 10000 -
lockedCreditCapacityBeforeRedeemUsdX18is 20000 -
creditCapacityBeforeRedeemUsdX18 - vault.getTotalCreditCapacityUsd()is 40000This means that 10000 are still left which is less than the locked capacity of 20000
-
However, the check is not working correctly and the transaction will not revert
Impact
This check is used to ensure that the vault can continue operating with its markets and not be left insolvent. With it being broken the vault can become insolvent or not have enough locked capacity needed to operate with its connected markets.
Tools Used
Manual Review
Recommendations
Change the check to this one:
Lead Judging Commences
The check in VaultRouterBranch::redeem should be comparing remaining capacity against required locked capacity not delta against locked capacity
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.