Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Underflow in `Vault::_updateCreditDelegations` Leading to Denial-of-Service

0x23r0

Summary

In the _updateCreditDelegations function, an underflow vulnerability exists when calculating the creditDeltaUsdX18 value. This occurs when the newCreditDelegationUsdX18 is less than the previousCreditDelegationUsdX18, resulting in a negative value. Since creditDeltaUsdX18 is of type UD60x18 (unsigned), this triggers an underflow, causing the transaction to revert. This issue can lead to a denial-of-service (DoS) scenario, preventing the vault from updating credit delegations and disrupting the system's liquidity management.

Vulnerability Details

The vulnerability is in the _updateCreditDelegations function:

UD60x18 creditDeltaUsdX18 = newCreditDelegationUsdX18.sub(previousCreditDelegationUsdX18);

https://github.com/Cyfrin/2025-01-zaros-part-2/blob/main/src/market-making/leaves/Vault.sol#L1C1-L617

Here, newCreditDelegationUsdX18 and previousCreditDelegationUsdX18 are both of type UD60x18, which represents unsigned decimal numbers. If newCreditDelegationUsdX18 is less than previousCreditDelegationUsdX18, the subtraction will result in a negative value. However, since UD60x18 cannot represent negative numbers, this operation will underflow, causing the transaction to revert.

Example Scenario:

Previous delegation: 100 USD (stored as UD60x18).
New delegation: 80 USD (due to reduced capacity).
Calculation: creditDeltaUsdX18 = 80 - 100 = -20.
Result: Underflow occurs, and the transaction reverts.

Impact

Vaults cannot update credit delegations when their credit capacity decreases, freezing debt distributions and liquidity management.

Tools Used

Manual review.

Recommendations

To mitigate this issue, implement a check to ensure that newCreditDelegationUsdX18 is greater than or equal to previousCreditDelegationUsdX18 before performing the subtraction. If newCreditDelegationUsdX18 is less than previousCreditDelegationUsdX18, handle the case appropriately (e.g., by setting creditDeltaUsdX18 to zero or using a signed type for the calculation).

UD60x18 creditDeltaUsdX18;

if (newCreditDelegationUsdX18 >= previousCreditDelegationUsdX18) {

creditDeltaUsdX18 = newCreditDelegationUsdX18.sub(previousCreditDelegationUsdX18);

} else {

// Handle the case where new delegation is less than previous delegation

creditDeltaUsdX18 = UD60x18_ZERO; // or handle it differently based on business logic

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Vault::_updateCreditDelegations uses unsigned UD60x18 for credit delegation delta calculation which will underflow on any decrease in credit delegation amount

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!