Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Vault locked credit capacity is wrongly checked when user redeems

h2134

Summary

Vault locked credit capacity is wrongly checked when user redeems.

Vulnerability Details

A vault's lockedCreditRatio determines how much of the vault's total assets can't be withdrawn according to the Vault's total debt, it is expected that after user redeems, the withdrawn amount should be less than the total amount - locked amount.

However, in redeem(), protocol wrongly checks the locked credit capacity against withdrawn amount instead of the left credit capacity (total amount - locked amount).

VaultRouterBranch::redeem():

if (
@> ctx.creditCapacityBeforeRedeemUsdX18.sub(vault.getTotalCreditCapacityUsd()).lte(
@> ctx.lockedCreditCapacityBeforeRedeemUsdX18.intoSD59x18()
)
) {
revert Errors.NotEnoughUnlockedCreditCapacity();
}

Impact

The locked credit capacity is used to secure the credit delegation system, this issue let user withdraw more collateral than allowed, leading to potential liquidity issues to connected markets.

Tools Used

Manual Review

Recommendations

Check locked credit capacity againt the left credit capacity in the vault.

if (
- ctx.creditCapacityBeforeRedeemUsdX18.sub(vault.getTotalCreditCapacityUsd()).lte(
- ctx.lockedCreditCapacityBeforeRedeemUsdX18.intoSD59x18()
+ vault.getTotalCreditCapacityUsd().lte(
+ ctx.lockedCreditCapacityBeforeRedeemUsdX18.intoSD59x18()
)
) {
revert Errors.NotEnoughUnlockedCreditCapacity();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

The check in VaultRouterBranch::redeem should be comparing remaining capacity against required locked capacity not delta against locked capacity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.