Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Incorrect Early Return Condition Leading to Inverted Risk Management in Market Stress Conditions

cheatc0d33

Description

The CreditDelegationBranch contract implements a dynamic auto-deleverage system where the getAutoDeleverageFactor function scales restrictions from 1.0 (none) to 0.0 (full) based on market stress levels. However, a severe logical flaw has been identified where the early return condition produces the maximum deleverage factor (1.0) during critical market conditions, completely inverting the intended risk management behavior.

if (sdDelegatedCreditUsdX18.lte(totalDebtUsdX18) || sdDelegatedCreditUsdX18.isZero()) {
return UD60x18_UNIT; // Returns 1.0 (100%) when should be most restrictive
}

The vulnerability creates a paradoxical feedback loop in the risk management system. Under stress conditions where credit falls below debt levels, the system maximizes risk exposure by returning the highest possible deleverage factor (1.0). This inverts the intended protection mechanism, allowing unlimited minting and profit taking precisely when the system requires maximum restrictions.

Impact

The flaw penetrates multiple critical system layers. At the token minting level, it enables unrestricted issuance during market stress:

function withdrawUsdTokenFromMarket(uint128 marketId, uint256 amount) external {
if (market.isAutoDeleverageTriggered(/*...*/)) {
// Returns maximum factor (1.0) in stress conditions
// Allows unrestricted minting when should be most limited
UD60x18 adjustedUsdTokenToMintX18 = market.getAutoDeleverageFactor(/*...*/).mul(amountX18);
}
}

The profit calculation system similarly fails to apply needed restrictions:

function getAdjustedProfitForMarketId(uint128 marketId, uint256 profitUsd) public view {
if (market.isAutoDeleverageTriggered(/*...*/)) {
// No profit reduction in stressed conditions
adjustedProfitUsdX18 = market.getAutoDeleverageFactor(/*...*/).mul(adjustedProfitUsdX18);
}
}

Exploit path

The vulnerability enables a destructive feedback cycle:

  1. Market stress reduces credit below debt threshold

  2. System returns maximum factor instead of minimum

  3. Unrestricted minting and profit extraction becomes possible

  4. Further credit deterioration occurs

  5. Cycle amplifies until system insolvency

This creates opportunities for malicious actors to deliberately stress markets and extract value through unrestricted operations when controls should be tightest.

Fix

The fix requires inverting the early return logic to provide maximum protection during stress:

function getAutoDeleverageFactor(
Data storage self,
UD60x18 delegatedCreditUsdX18,
SD59x18 totalDebtUsdX18
) internal view returns (UD60x18) {
if (sdDelegatedCreditUsdX18.lte(totalDebtUsdX18) || sdDelegatedCreditUsdX18.isZero()) {
return UD60x18_ZERO; // Minimum factor in stress conditions
}
// ... normal calculation
}

This ensures the system applies maximum restrictions during periods of market stress, protecting system solvency and preventing exploit scenarios.

The severity is critical as the flaw fundamentally compromises system risk management, enabling catastrophic failure scenarios during market stress events.

Updates

Lead Judging Commences

inallhonesty Lead Judge
6 months ago
inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.