Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

usdc acquired during vault debt settling is stuck in the protocol

glightspeed2

Summary

When settling a vault's debt, the protocol converts its underlying asset to USDC to cover its debt. However, received usdc is not being used anywhere and stuck in the protocol.

Vulnerability Details

In CreditDelegationBranch.settleVaultsDebt, in-debt vault's asset is swapped to usdc.

vault.marketsRealizedDebtUsd -= ctx.usdcOutX18.intoUint256().toInt256().toInt128();
UsdTokenSwapConfig.load().usdcAvailableForEngine[vault.engine] += ctx.usdcOutX18.intoUint256(); // @audit check if this is available in usd minting

Although the vault's debt is decreased and usdcAvailableForEngine is increased, the swapped usdc is stuck at the protocol.

Because:

  • Since corresponding vault's depositedUsdc is not increased, the swapped usdc doesn't belong to any market or vault.

  • Although usdcAvailableForEngine, is increased, this vaule is not used anywhere else in the protocol.

  • There is no token rescue mechanism in the protocol. There is no way for the authorized to transfer token out once it's stuck

Impact

USDC and its corresponding user fund will be stuck.

Tools Used

Manual Review

Recommendations

These USDC should back usd token minting.

For example, in CreditDelegationBranch.withdrawUsdTokenFromMarket, if there are enough usdcAvailableForEngine, it can mint usd token without checking market's credit capacity.

Also, token rescue mechanism can be added to the protocol.

Updates

Lead Judging Commences

inallhonesty Lead Judge
5 months ago
inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.