Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

`VaultRouterBranch.sol` will return wrong swap rates

novaman33

Summary

A vault is in debt when the unsettled realized debt in usd is less than zero. However in the `VaultRouterBranch` we can see that the opposite is assumed.

Vulnerability Details

In the VaultRouterBranch.sol we can see several instances in which it is assumed that vault is in credit when it has negative debt:\

// get the vault's net credit capacity, i.e its total assets usd value minus its total debt (or adding its

// credit if debt is negative)

uint256 totalAssetsMinusVaultDebt = getVaultCreditCapacity(vaultId);

Here we can see that this variable is trying to represent the total assets - debt. However the getVaultCreditCapacity will actually assume that there is credit, when the debt is negative which is incorrect:

function getVaultCreditCapacity(uint128 vaultId) public view returns (uint256) {

// fetch storage slot for vault by id

Vault.Data storage vault = Vault.loadExisting(vaultId);

// fetch the vault's total assets in 18 dec

SD59x18 totalAssetsX18 =

vault.collateral.convertTokenAmountToSd59x18(IERC4626(vault.indexToken).totalAssets().toInt256());

// we use the vault's net sum of all debt types coming from its connected markets to determine the swap rate

SD59x18 vaultDebtUsdX18 = vault.getTotalDebt();

// get collateral asset price

UD60x18 assetPriceX18 = vault.collateral.getPrice();

// convert the vault debt value in USD to the equivalent amount of assets to be credited or debited

SD59x18 vaultDebtInAssetsX18 = vaultDebtUsdX18.div(assetPriceX18.intoSD59x18());

// get decimal offset

uint8 decimalOffset = Constants.SYSTEM_DECIMALS - vault.collateral.decimals;

// subtract the vault's debt from the total assets

// NOTE: we add 1 to the total assets to avoid division by zero.

// Add 10 ** decimalsOffset since when converting back from x18 to uint256, it would equal 1

// NOTE: credit is accounted as negative debt, so it would be added to the total assets//@audit

SD59x18 totalAssetsMinusVaultDebtX18 =

totalAssetsX18.add(sd59x18(int256(10 ** uint256(decimalOffset)))).sub(vaultDebtInAssetsX18);

return totalAssetsMinusVaultDebt;

}

Here we can see that the vault debt will be added instead of removed in the totalAssetsMinusVaultDebtX18 because there will be debt when the vaultDebtInAssetsX18 is negative.

Impact

The swap rates will always be wrong.

Tools Used

Manual Review

Recommendations

Change add the vault debt instead of subtracting it.

Updates

Lead Judging Commences

inallhonesty Lead Judge

5 months ago

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.