Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Incorrect Token Order in `CreditDelegationBranch::calculateSwapAmount` Leads to Improper Debt Settlement

0x23r0

Summary

In the settleVaultsDebt() function where the token order in the calculateSwapAmount call is incorrect. This results in the calculation of the wrong swap amount when settling vault debt, leading to improper debt settlements, financial losses, and potential instability in the protocol.

Vulnerability Details

In the settleVaultsDebt() function, specifically in the logic for handling vaults in debt. Here’s the problematic code snippet:

// get swap amount; both input and output in native precision
ctx.swapAmount = calculateSwapAmount(
dexSwapStrategy.dexAdapter,
ctx.usdc,
ctx.vaultAsset,
usdcCollateralConfig.convertSd59x18ToTokenAmount(ctx.vaultUnsettledRealizedDebtUsdX18.abs())
);

https://github.com/Cyfrin/2025-01-zaros-part-2/blob/main/src/market-making/branches/CreditDelegationBranch.sol#L438-L444

Issue Description

  1. Incorrect Token Order:

    • The calculateSwapAmount function is designed to calculate the amount of assetIn required to obtain assetOut based on the provided amount.

    • In the current implementation, the tokens are passed in the wrong order:

      • ctx.usdc is incorrectly passed as assetIn.

      • ctx.vaultAsset is incorrectly passed as assetOut.

    • This means the function is calculating how much USDC is needed to obtain the vault’s underlying asset, which is the opposite of the intended behavior.

  2. Intended Behavior:

    • For a vault in debt, the protocol should calculate how much of the vault’s underlying asset (ctx.vaultAsset) is required to cover the unsettled debt in USDC.

    • The correct token order should be:

      calculateSwapAmount(dexAdapter, ctx.vaultAsset, ctx.usdc, amount)

  3. Consequences:

    • The current implementation will calculate an incorrect swap amount, leading to improper debt settlements.

    • If the vault’s underlying asset is volatile, this could result in significant financial losses for the protocol or its users.

    • The protocol may fail to properly settle vault debt, leading to instability in the system.

Impact

  • Critical Severity: This bug directly impacts the core functionality of the protocol, specifically the settlement of vault debt. The potential consequences include:

    • Incorrect debt settlements, resulting in financial losses for the protocol or its users.

    • Potential exploitation by malicious actors to manipulate vault debt settlements.

    • Instability in the protocol due to unresolved debt positions.

Tools Used

Manual review.

Recommendations

To fix this bug, the token order in the calculateSwapAmount call should be corrected. Here’s the corrected code:

// get swap amount; both input and output in native precision
ctx.swapAmount = calculateSwapAmount(
dexSwapStrategy.dexAdapter,
ctx.vaultAsset, // assetIn: vault's underlying asset
ctx.usdc, // assetOut: USDC
usdcCollateralConfig.convertSd59x18ToTokenAmount(ctx.vaultUnsettledRealizedDebtUsdX18.abs())
);
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.