Submission Details
Severity:
Unnecessary Update to USDC Availability Mapping
## Summary
Unnecessary update of available USDC of engine's usd token
## Vulnerability Details
In `CreditDelegationBranch::settleVaultsDebt`, the `if()` get executed when the vault is in debt(less USDC than vault asset),
that is, vault unsettled realized debt in USD is less than zero then the exact amount of USDC needed to pay for the debt is
calculated and part of the vault assets is converted to USDC to cover for vault debts.
The exact USDC gotten is used to update(pay) debt of the vault and no USDC will be remained since the exact amount needed was
calculated in
```javascript
ctx.swapAmount = calculateSwapAmount(
dexSwapStrategy.dexAdapter,
ctx.usdc,
ctx.vaultAsset,
usdcCollateralConfig.convertSd59x18ToTokenAmount(ctx.vaultUnsettledRealizedDebtUsdX18.abs()),
);
```
However, the line of code below is not needed because the USDC gotten from the swap was used up to pay the debt. Moreover,
the NatSpec of `usdcAvailableForEngine` in `UsdTokenSwapConfig` says "The amount of USDC backing an engine's usd token,
coming from vaults that had their debt settled, allocating the usdc acquired to users of that engine." meaning only vault
with debt can store USDC using this mapping which is not the case for `if()` of `CreditDelegationBranch::settleVaultsDebt`.
```javascript
@> UsdTokenSwapConfig.load().usdcAvailableForEngine[vault.engine] += ctx.usdcOutX18.intoUint256();
```
## Impact
`vault.engine` will have more USDC than its balance since the USDC from swapped was used for debt settlement.
## Recommendations
Remove the line of code
```diff
- UsdTokenSwapConfig.load().usdcAvailableForEngine[vault.engine] += ctx.usdcOutX18.intoUint256();
```
Prize pool breakdown
Total prize
70,000 USDC
nSLOC
3,25821 USDC / LOC
66,500
3,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.