Part 2

Summary

The getUnsettledRealizedDebt() function in the vault credit delegation system suffers from integer precision issues due to improper handling of rounding in fixed-point math (PRB-Math). This can lead to incorrect debt calculations, potentially causing vaults to appear insolvent when they are not, or vice versa.

Vulnerability Details

The function getUnsettledRealizedDebt() performs calculations using fixed-point arithmetic, specifically PRB-Math, to determine the unsettled realized debt. The issue arises in the following line of code:

• Problem: The depositedUsdc value is converted into a fixed-point number (ud60x18) and then into a signed fixed-point number (sd59x18) without proper rounding checks. This can lead to precision loss, especially when dealing with small amounts of USDC.

• Impact: Improper rounding can cause the total debt calculation to be inaccurate, leading to scenarios where vaults are either over-credited or over-debited. This could result in incorrect financial states, such as vaults appearing insolvent when they are not, or vice versa.

Impact

• Financial Discrepancies: Vaults may be incorrectly marked as insolvent or solvent due to miscalculations in debt.

• User Trust: Users may lose trust in the system if their vault balances are inaccurately represented.

• Exploitation: Malicious actors could exploit this vulnerability to manipulate vault states for their benefit.

Tools Used

• Static Analysis Tools: Tools like Slither or MythX can be used to identify potential integer precision issues in smart contracts.

• Manual Code Review: A thorough review of the fixed-point arithmetic implementation, particularly focusing on rounding and precision handling.

• Unit Testing: Writing and running unit tests to simulate edge cases, such as depositing very small amounts of USDC, to observe rounding errors.

Recommendations

1. Implement Proper Rounding: Ensure that all fixed-point arithmetic operations include proper rounding checks. For example, use round or ceil functions to handle precision loss appropriately.

2. Use Higher Precision Arithmetic: Consider using higher precision arithmetic libraries or data types to minimize the risk of rounding errors.

3. Add Validation Checks: Implement validation checks to ensure that the calculated debt values fall within expected ranges. If discrepancies are detected, the system should flag them for manual review.

4. Thorough Testing: Conduct extensive testing, including edge cases with very small and very large amounts of USDC, to ensure that the debt calculations are accurate under all conditions.

5. Audit and Peer Review: Engage in a thorough audit and peer review process to identify and address any other potential vulnerabilities in the codebase.

By addressing these issues, the system can ensure accurate debt calculations, maintain user trust, and prevent potential exploits.