Skip to content
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.

roguereddwarf - ControllerPeggedAssetV2: triggerEndEpoch function can be called even if epoch is null epoch leading to loss of funds #108

Open
sherlock-admin opened this issue Mar 27, 2023 · 2 comments
Open

roguereddwarf - ControllerPeggedAssetV2: triggerEndEpoch function can be called even if epoch is null epoch leading to loss of funds #108

sherlock-admin opened this issue Mar 27, 2023 · 2 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin
Copy link
Contributor

roguereddwarf

medium

ControllerPeggedAssetV2: triggerEndEpoch function can be called even if epoch is null epoch leading to loss of funds

Summary

An epoch can be resolved in three ways which correspond to the three functions available in the Controller:
triggerDepeg, triggerEndEpoch, triggerNullEpoch.

The issue is that triggerEndEpoch can be called even though triggerNullEpoch should be called.
"Null epoch" means that any of the two vaults does not have funds deposited. In this case the epoch should be resolved with triggerNullEpoch such that funds are not transferred from the premium vault to the collateral vault.

So in triggerEndEpoch is should be checked whether the conditions for a null epoch apply. If that's the case, the triggerEndEpoch function should revert.

Vulnerability Detail

The assumption the code makes is that if the null epoch applies, triggerNullEpoch will be called before the end timestamp of the epoch which is when triggerEndEpoch can be called.

This is not necessarily true.

triggerNullEpoch might not be called in time (e.g. because the epoch duration is very short or simply nobody calls it) and then the triggerEndEpoch function can be called which sends the funds from the premium vault into the collateral vault:
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L172-L192

If the premium vault is the vault which has funds and the collateral vault does not, then the funds sent to the collateral vault are lost.

Impact

Loss of funds for users that have deposited into the premium vault.

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L144-L202

Tool used

Manual Review

Recommendation

triggerEndEpoch should only be callable when the conditions for a null epoch don't apply:

diff --git a/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol b/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol
index 0587c86..7b25cf3 100644
--- a/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol
+++ b/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol
@@ -155,6 +155,13 @@ contract ControllerPeggedAssetV2 {
             collateralVault.epochExists(_epochId) == false
         ) revert EpochNotExist();
 
+        if (
+            premiumVault.totalAssets(_epochId) == 0 ||
+            collateralVault.totalAssets(_epochId) == 0
+        ) {
+            revert VaultZeroTVL();
+        }
+
         (, uint40 epochEnd, ) = premiumVault.getEpochConfig(_epochId);
 
         if (block.timestamp <= uint256(epochEnd)) revert EpochNotExpired();
@github-actions github-actions bot added Medium A valid Medium severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Apr 3, 2023
This was referenced Apr 3, 2023
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@3xHarry 3xHarry added the Sponsor Confirmed The sponsor acknowledged this issue is valid label Apr 5, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Apr 11, 2023
3xHarry added a commit to Y2K-Finance/Earthquake that referenced this issue Apr 11, 2023
@3xHarry
fix sherlock-audit/2023-03-Y2K-judging#108
acf4ce4
@3xHarry
Copy link

3xHarry commented Apr 11, 2023

fix PR: Y2K-Finance/Earthquake#140

@0xRobocop 0xRobocop mentioned this issue Apr 11, 2023
Closed
@yixxas yixxas mentioned this issue Apr 11, 2023
Closed
@3xHarry 3xHarry added the Will Fix The sponsor confirmed this issue will be fixed label Apr 28, 2023
@IAm0x52
Copy link
Collaborator

IAm0x52 commented May 5, 2023

Fix looks good. triggerEndEpoch can no longer be called on expired, null epochs

3xHarry added a commit to Y2K-Finance/Earthquake that referenced this issue May 8, 2023
@3xHarry
Sherlock fix sherlock-audit/2023-03-Y2K-judging#108 (#140)
8d2fc9d
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sherlock-admin @IAm0x52 @3xHarry