Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

`initiateSwap` Accepts Transfers for Paused Vaults Leading to Stuck Tokens

0xexploud

Summary

The initiateSwap function in StabilityBranch.sol accepts and transfers user tokens for multiple vaults without validating their active status. When a vault is paused, the keeper's fulfillSwap operation for that specific request will revert, leaving those tokens stuck until the refund deadline.

Vulnerability Details

The vulnerability stems from mismatched validation between initiateSwap and fulfillSwap:
In initiateSwap:

for (uint256 i; i < amountsIn.length; i++) {

if (i != 0) {

currentVault = Vault.load(vaultIds[i]); // Only basic load, no status check

if (currentVault.collateral.asset != ctx.initialVaultCollateralAsset) {

revert Errors.VaultsCollateralAssetsMismatch();

}

// Transfers tokens without vault status validation

ctx.usdTokenOfEngine.safeTransferFrom(msg.sender, address(this), amountsIn[i]);

}

In fulfillSwap (called by keeper for each request individually):

function fulfillSwap(address user, uint128 requestId, bytes calldata priceData, address engine) external {

// ...

Vault.Data storage vault = Vault.loadLive(ctx.vaultId); // Strict validation that reverts if vault not live

// ...

}

Example Scenario:

User initiates a swap with multiple vaults: [Vault1(live), Vault2(paused), Vault3(live)]
initiateSwap accepts all transfers:
- Transfer for Vault1: 100 tokens
- Transfer for Vault2 (paused): 50 tokens
- Transfer for Vault3: 75 tokens
Keeper processes each request separately:
- Vault1 request: Succeeds, tokens swapped
- Vault2 request: Reverts due to loadLive check, 50 tokens stuck
- Vault3 request: Succeeds, tokens swapped
Result:
- Vault1 & Vault3: Successfully processed
- Vault2: 50 tokens stuck until refund deadline

Impact

Tokens sent to paused vaults become temporarily locked. Users must wait for deadline expiry to reclaim tokens via refundSwap and incur base fee on redeem.

Tools Used

Manual Review

Recommendations

Validate all vault statuses for liveness before performing any token transfers

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

`initiateSwap` allows users to initiate swap even when the vault is paused

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!