Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Vaults and markets are not correctly updated during connection

glightspeed2

Summary

When connecting vaults and markets, only old vaults are updated. New vaults and markets status remain unchanged. This will bring incorrect debt calculation and protocol malfunctioning.

Vulnerability Details

Markets and vaults are connected through MarketMakingEngineConfigurationBranch.connectVaultsAndMarkets

Here's an overview what's happening behind the scene:

For each vaultIds recalculate vault credit capacity
For each marketIds do the following:
- Recalculate credit capacity for each previously connected vaults
- Update connectedVaultsto new one
For each vaultIds, update connectedMarketsto new one

So what does vault credit capacity recalculating exactly do? It does the following important updates:

Update creditDelegationweight and vault's totalCreditDelegationWeights
Distribute connected market's debt to connected vaults
Update vault's realized debt, unrealized debt, deposited usdc and weth reward distribution
Sync creditDelegation's debts, deposited usdc and weth reward distribution with market

So all-in-all, most important updates of market and vaults are done here.

If we go back to connection process with the focus of recalculation, we have the following:

New vaults and their old connected markets are updated
New markets and their old connected vaults are updated

And there is no more recalculation. Thus, the following recalculation are missed:

New vaults' old connected markets are not updated with updated connection
- Old connected market's and their connected vaults' credit capacity parameters are not updated
- Old connected markets' connectedVaultparamters are not updated
New market's old connected vaults are not updated with updated connection
- Old connected vaults' and their connected markets' credit capacity parameters are not updated
- Old connected vaults' connectedMarketparameters are not updated
New markets and new vaults credit capacity parameters are not updated

Impact

Markets and vaults credit capacity are miscalculated. One single update of connection will bring a havoc to the protocol.

Since usd token swap rate, index token swap rate, vault asset swap rate depend on vaults and markets credit capacity, it will bring user fund loss and protocol fund loss.

Tools Used

Manual Review

Recommendations

Connection logic should be reimplemented. All missing calculations mentioned in Vulnerability Details section should be done in MarketMakingEngineConfigurationBranch.connectVaultsAndMarketsmethod.

Updates

Lead Judging Commences

inallhonesty Lead Judge

5 months ago

inallhonesty Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.