Liquidity Management

Summary

The _mint function is responsible for issuing vault shares when a deposit occurs. In a 1x long position, the function incorrectly computes the vault’s pre-deposit value (totalAmountBefore) by subtracting the deposit amount (expressed in collateral tokens) from the index token balance (expressed in index token units). This unit mismatch results in a miscalculation of share issuance, potentially over-allocating shares to new depositors and diluting the value of existing ones.

Vulnerability Details

• Issue Context:
  Deposits are made in a collateral token (e.g., USDC), but in a 1x long position the vault holds most of its value in index tokens (e.g., ETH) after performing a spot swap. The function branch for open positions calculates:

  totalAmountBefore = IERC20(indexToken).balanceOf(address(this)) - amount;

  Here, amount represents the deposit in collateral units while IERC20(indexToken).balanceOf(address(this)) is measured in index token units. This calculation assumes a 1:1 conversion rate between the tokens, which is not accurate when prices differ.

• Unit Mismatch & Valuation Error:
  In contrast, the _totalAmount(prices) function converts the index token balance into collateral token equivalents by applying:

  IERC20(indexToken).balanceOf(address(this)) * prices.indexTokenPrice.min / prices.shortTokenPrice.min

  and adding the collateral balance and net position value. By using the raw index token balance directly, the vault undervalues its total assets, leading to a smaller computed totalAmountBefore. Consequently, the share issuance calculation:

  _shares = amount * totalShares / totalAmountBefore;

  ends up over-allocating shares to the new depositor.

• Simulation Scenario:
  Assumptions:

  • Vault before deposit (in a 1x long position):

    • Index token balance = 5000 (e.g., ETH units)

    • Collateral token balance = 0 (all collateral swapped to index tokens)

    • Total Shares = 1000

  • A user deposits amount = 1000 collateral tokens (USDC).

  • Market Prices:

    • Index Token Price = $2

    • Collateral Token Price = $1

  Current Implementation:

  • Pre-deposit value is computed as:

    totalAmountBefore = 5000 - 1000 = 4000

  • Shares minted:

    shares = (1000 * 1000) / 4000 = 250 shares

  Correct Calculation (Using _totalAmount(prices)):

  • Vault total value should be calculated as:

    Total Vault Value = (5000 * 2/1) + 0 = 10000

  • Then, pre-deposit value becomes:

    totalAmountBefore = 10000 - 1000 = 9000

  • Shares minted:

    shares = (1000 * 1000) / 9000 ≈ 111 shares

  This discrepancy shows that the current implementation issues more than double the appropriate shares, diluting existing depositors.

Impact

• Dilution of Depositor Value:
  Over-issuance of shares due to the miscalculation decreases the value of existing shares, as the total share supply increases disproportionately relative to the actual vault value.

• Economic Exploitation:
  Malicious actors could repeatedly deposit collateral at an inflated share rate and later withdraw disproportionate value, effectively extracting value from the system.

• Inconsistent Vault Valuation:
  The use of mismatched units leads to an inaccurate representation of the vault’s assets. In volatile markets, even small discrepancies (e.g., due to an oracle price deviation from 1 USD for USDC) can compound over time, resulting in significant fairness issues among depositors.

Tools Used

• Manual Code Review:
  Detailed analysis of the _mint function and its interaction with _totalAmount(prices) and share calculations.

• Mathematical Simulation:
  Numerical examples demonstrating how the unit mismatch (collateral tokens vs. index tokens) leads to over-issuance of shares.

• Conceptual Analysis:
  Evaluation of the economic invariants, especially “Depositor Share Value Preservation”, to understand the long-term impact of incorrect share calculations.

Recommendations

1. Adopt Consistent Valuation:
   Always compute totalAmountBefore using the comprehensive _totalAmount(prices) function, which converts index token balances into collateral token equivalents:

   totalAmountBefore = _totalAmount(prices) - amount;

   This ensures all values are expressed in the same unit.

2. Revisit the Share Issuance Formula:
   Ensure that the share calculation is robust against unit mismatches. Consider parameterizing the precision multiplier (instead of hardcoding 1e8) with clear documentation and safeguards against rounding errors.