Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

If newCreditDelegationUsdX18 is lesser than previousCreditDelegationUsdX18 then panic error underflow.

pavankv

Summary

UD60x18 is unsigned interger in prb math newCreditDelegationUsdX18 is credit given to market and previousCreditDelegationUsdX18 is previously provided credit to the market both are UD60x18 means unsigned interger. Protocol assumes that newCreditDelegationUsdX18 is always bigger than previous one so it will give runtime error panic code 11 which disturbs the normal flow of the code.

Vulnerability Details

function _updateCreditDelegation will be called in function recalculateCreditCapacity() . to update the vualt's credit delegation so here it may possible that new credit delegated will be less than the previous one. Without type casting to signed interger credit delta is calculated leads to panic error.

newCreditDelegation depend on factor total index assets weight and totalCreditDelegationWeight and previousCreditDelegation based on values of credit in usd ,so this may be possible that new credit delegation is less than previous one.

// if the vault's credit capacity went to zero or below, we set its credit delegation to that market

// to zero

UD60x18 newCreditDelegationUsdX18 = vaultCreditCapacityUsdX18.gt(SD59x18_ZERO)

? vaultCreditCapacityUsdX18.intoUD60x18().mul(creditDelegationShareX18)

: UD60x18_ZERO;

// calculate the delta applied to the market's total delegated credit

UD60x18 creditDeltaUsdX18 = newCreditDelegationUsdX18.sub(previousCreditDelegationUsdX18);

This below code is PRB library func of two UD60x18

/// @notice Implements the checked subtraction operation (-) in the UD60x18 type.

function sub(UD60x18 x, UD60x18 y) pure returns (UD60x18 result) {

result = wrap(x.unwrap() - y.unwrap());

}

POC

contract SubtractionTest is Test {

function testSubUnderflow() public {

UD60x18 x = wrap(5e18); // 5 * 10^18

UD60x18 y = wrap(10e18); // 10 * 10^18

// Expect a revert due to underflow

vm.expectRevert();

sub(x, y);

}

function sub(UD60x18 x, UD60x18 y) internal pure returns (UD60x18 result) {

result = wrap(x.unwrap() - y.unwrap());

}

Impact

Runtime error which disturbs the normal flow of execution.

Tools Used

Manual View

Recommendations

Add check before subtract
Type Cast before the subtract

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Vault::_updateCreditDelegations uses unsigned UD60x18 for credit delegation delta calculation which will underflow on any decrease in credit delegation amount

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.