Part 2

Summary

The current implementation will allow users to swap usd token of the engine with collateral from any zlpVault. However the accurate rabalancing may not be applicable because of the flawed implementation of the rebalanceVaultsAssets which will only rebalnce two vaults if they are in opposite states(meaning one of them should be in debt and the other one should be in credit).

Vulnerability Details

In the StabilityBranch.sol we can see that the usd token of an engine can be swapped in any of the engine's vaults:

Furthermore we can see that the purpose of the rebalanceVaultsAssets is to mitigate such swaps and rebalance the debt of the vaults so that is fair for the LPs.

However we can see that the rebalancing is only possible if one of the vaults is in debt and the other is in credit. This means that if both vaults are in the same state, they cannot be rebalanced.

This is incorrect as it would result in unfair rates for creation and redemption in those vaults.

Consider the following scenarios:

0.VaultA and VaultB are both in credit. In VaultA users deposit WBTC and in VaultB users provide WETH.

VaultA.getUnsettledRealizedDebt()=-200e18and VaultB.getUnsettledRealizedDebt()=-200e18
VaultA supports MarketA and VaultB will only be connected to MarketB.

1.There is a positive PnL event a the perpEngine calls withdrawUsdTokenFromMarket in order to reward Bob with his profit of 50e18 USD tokens, withdrawing 50USD tokens from MarketA. Now the state of the Vaults is the following:

1. Now Bob calls initiateSwap passing VaultB as he wants to use his USD to swap for WETH. As a result the following line will be executed:

   which will decrease VaultB debt. As a result the state is now:

Now those vaults cannot be rebalanced since using rebalanceVaultsAssets requires both of them are actually in credit. As a result the LPs of VaultA suffer a loss since

Impact

Tools Used

Recommendations