Underflow Risk in `Market::updateTotalDelegatedCredit` Function
Summary
The updateTotalDelegatedCredit function in the Market library is vulnerable to an underflow error when updating the total delegated credit. If a negative creditDeltaUsdX18 (e.g., during a vault withdrawal) causes the total delegated credit to become negative, the conversion to UD60x18 will revert, freezing all credit updates. This can permanently brick the protocol's credit delegation and withdrawal functionality.
Vulnerability Details
The issue isin the updateTotalDelegatedCredit function:
Issue Breakdown:
Underflow Condition:
The function addscreditDeltaUsdX18(which can be negative) to the currenttotalDelegatedCreditUsd. If the result is negative, the conversion toUD60x18will revert due to the underflow check in theintoUD60x18function:
Example Scenario:
totalDelegatedCreditUsd= 100creditDeltaUsdX18= -150The calculation attempts to compute:
100 + (-150) = -50The conversion to
UD60x18reverts because-50is negative.
Impact
All credit delegation and withdrawal functions will revert if the total delegated credit becomes negative, effectively bricking the protocol.
Tools Used
Manual review
Recommendations
To fix the issue, add a check to ensure that the total delegated credit does not become negative after applying the creditDeltaUsdX18. If the result would be negative, revert with a descriptive error message.
Lead Judging Commences
Vault::_updateCreditDelegations uses unsigned UD60x18 for credit delegation delta calculation which will underflow on any decrease in credit delegation amount
Appeal created
Vault::_updateCreditDelegations uses unsigned UD60x18 for credit delegation delta calculation which will underflow on any decrease in credit delegation amount
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.