Incorrect logic for checking the credit capacity after a redeem
Summary
For a redeem to be successful, there must be enough credit capacity left in the vault, as the locked credit capacity represent assets that can't be withdrawn. The credit capacity delta is checked after a redeem operation, but the logic is flawed because if the delta is less than the locked capacity, the function reverts.
Vulnerability Details
In the VaultRouterBranch::redeem function, there should be a check to ensure that the withdrawn assets are not greater than the locked capacity of the vault.
The check in the if statement doesn't align with the comment. Instead of checking if the credit capacity delta is greater than the locked credit capacity, the if statement reverts when the delta is smaller than the locked amount.
Impact
This issue causes a DOS in the redeem function. If the user doesn't withdraw more the lockedCreditCapacity, the redeem function will always revert. In cases where the funciton should revert, it doesn't, allowing users to withdraw more than they should, which could leave the vault below the required minimum asset threshold (the locked capacity).
Recommendations
The credit capacity delta should be compared such that the function reverts only when it exceeds CreditCapacityBeforeRedeem - lockedCreditCapacityBeforeRedeem.
Lead Judging Commences
The check in VaultRouterBranch::redeem should be comparing remaining capacity against required locked capacity not delta against locked capacity
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.