Stale Credit Delegation in `_updateCreditDelegations()` Allows Over-Allocation of Vault Funds
In the _updateCreditDelegations() function, credit delegation updates rely solely on the provided connectedMarketsIdsCache, failing to account for markets that were previously delegated credit but have since been removed. This creates a scenario where removed markets retain their previous credit delegation balance, leading to an overestimation of available credit for remaining markets. The function updates delegation values as follows:
However, if a market is no longer connected, it does not receive an update, preserving its old delegation value, effectively double-counting credit allocations. This can lead to situations where more credit is distributed than the vault actually possesses, resulting in under-collateralization and potential fund mismanagement.
Impact:
The vault may allocate more credit than it actually holds, leading to insolvency risks and potential fund misallocation to markets that should no longer be receiving credit.
Mitigation:
Explicitly iterate over all previously connected markets and reset credit delegation for any markets no longer present in the updated connectedMarkets list.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.