Part 2

Summary

The _configureMarketConnectedVaults and _configureVaultConnectedMarkets functions from MarketMakingEngineConfigurationBranch overwrite previous vaults and markets connections by creating a new array without preserving the old connections. This causes previously connected markets to stop working with new vaults and vaults to stop working with new markets, potentially disrupting the entire system.

Vulnerability Details

New Array Overwrites Previous Connections

• The function creates a new empty array before adding new vaults

• Similarly, this also creates a new array.

Since only the values of last array is considered legitimate in markets and vaults, if old values are not added, vault's realized debt, weth rewards calculation will get disrupted, and market's totalDelegatedCreditUsd will still hold delegated credit from old vaults because nowhere delegated credit from old vaults are deducted. As a result functions like CreditDelegationBranch::withdrawUsdTokenFromMarket and CreditDelegationBranch::getAdjustedProfitForMarketId which uses market's delegated credit for calculation will return wrong values

Impact

• Previously connected vaults will be lost, leading to unexpected disconnections.

• Old markets will stop working with newly connected vaults, breaking liquidity and credit mechanisms.

• Markets will show previous vault's delegated credit even when it has lost it connection with previous vault

• Vault's calculation of usdc deposit to back usd token will get disrupted, old market's usd token issuance will be retained in the vaults even when they are not connected now

Tools Used

• Manual code review

Recommendations

Add old values again before adding new ones in the last array