Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Premium/discount factor calculation is reversed in `getPremiumDiscountFactor()`

cipher27

Summary

The getPremiumDiscountFactor() function applies a premium when vault is in debt and a discount when in credit, which destabilizes the vault's financial position.

Vulnerability Details

The issue exists in the getPremiumDiscountFactor() function where the premium/discount calculation is reversed:

File: UsdTokenSwapConfig.sol
137: // if the vault is in credit, we apply a discount, otherwise, we apply a premium
138: premiumDiscountFactorX18 =
139: vaultDebtUsdX18.lt(SD59x18_ZERO) ? UD60x18_UNIT.sub(pdCurveYX18) : UD60x18_UNIT.add(pdCurveYX18);

When vaultDebtUsdX18 is negative (vault in credit), the function subtracts pdCurveYX18 applying a discount, and when positive (vault in debt), it adds pdCurveYX18 applying a premium. This is the opposite of what should happen - vaults in debt should have discounts to encourage deposits, while vaults in credit should have premiums to discourage withdrawals.

Impact

The incorrect premium/discount application allows traders to withdraw more assets when vaults are in debt and less assets when vaults are in credit.

Recommendations

Reverse the premium/discount logic by swapping the addition and subtraction operations in getPremiumDiscountFactor().

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

The getPremiumDiscountFactor() function applies premiums and discounts inversely to what would maintain protocol stability

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.