Unrealized and Realized Debt Can Be Manipulated Due to Lack of Validation in `_recalculateConnectedMarketsState()`
The _recalculateConnectedMarketsState() function updates vault debt values based on data retrieved from connected markets. However, it does not validate whether the retrieved market.getUnrealizedDebtUsd() and market.getRealizedDebtUsd() values are consistent or within expected ranges, leading to a potential scenario where a compromised or misconfigured market can report arbitrary debt values, inflating or deflating a vault’s total debt. The following code directly updates vault debt without verification:
These values are then used to update the vault’s debt:
Since no upper or lower bounds are enforced, a malicious or malfunctioning market can artificially increase a vault’s debt, leading to incorrect credit calculations, vault insolvency, or unnecessary liquidations.
Impact:
A vault’s debt can be artificially inflated or deflated, leading to incorrect credit capacity calculations, potential vault insolvency, or wrongful liquidations of user funds.
Mitigation:
Before accepting market.getUnrealizedDebtUsd() and market.getRealizedDebtUsd(), enforce upper and lower bound limits (e.g., ensuring they remain within expected volatility thresholds) and validate against historical debt values to detect anomalies.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.