Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Wrong comparison operator in `redeem()` credit capacity check

cipher27

Summary

The credit capacity check in redeem() uses .lte() instead of .gte() which causes withdrawals to revert when there is sufficient credit capacity and succeed when there isn't enough.

Vulnerability Details

In redeem(), the credit capacity check uses .lte() to compare the credit capacity delta with locked credit capacity.

File: VaultRouterBranch.sol
556: // if the credit capacity delta is greater than the locked credit capacity before the state transition, revert
557: if (
558: ctx.creditCapacityBeforeRedeemUsdX18.sub(vault.getTotalCreditCapacityUsd()).lte(
559: ctx.lockedCreditCapacityBeforeRedeemUsdX18.intoSD59x18()
560: )
561: ) {
562: revert Errors.NotEnoughUnlockedCreditCapacity();
563: }

But in fact, it should revert when the credit capacity delta is greater than the locked credit capacity.

Impact

Withdrawals will incorrectly revert when there is sufficient locked credit capacity and succeed when there isn't enough credit capacity to facilitate the withdrawal.

Recommendations

Change the comparison operator from .lte() to .gte() to properly validate that there is enough locked credit capacity for the withdrawal.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

The check in VaultRouterBranch::redeem should be comparing remaining capacity against required locked capacity not delta against locked capacity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.