0xRobocop - Lack of a null epoch check on the triggerEndEpoch function could cause a loss of funds

[sherlock-admin]

0xRobocop

medium

Lack of a null epoch check on the triggerEndEpoch function could cause a loss of funds

Summary

The function triggerEndEpoch() at the ControllerPeggedAssetV2.sol contract lacks a check for a null epoch (collateral or premium vault did not received deposits). This means that even if the epoch should have been marked as null, the triggerEndEpoch() function can be executed causing loss of funds in the case where the premium vault received deposits and the collateral vault did not.

Vulnerability Detail

When the end of an epoch is triggered (no depeg occured), the TVL of the premium vault is sent to the collateral vault (minus fees):

uint256 epochFee = vaultFactory.getEpochFee(_epochId);

uint256 premiumTVL = premiumVault.finalTVL(_epochId);
uint256 collateralTVL = collateralVault.finalTVL(_epochId);

uint256 premiumFee = calculateWithdrawalFeeValue(premiumTVL, epochFee);

uint256 premiumTVLAfterFee = premiumTVL - premiumFee;
uint256 collateralTVLAfterFee = collateralTVL + premiumTVLAfterFee;

premiumVault.setClaimTVL(_epochId, 0);
        
collateralVault.setClaimTVL(_epochId, collateralTVLAfterFee);

premiumVault.sendTokens(_epochId, premiumFee, treasury);
      
premiumVault.sendTokens(
   _epochId,
   premiumTVLAfterFee,
   address(collateralVault)
 );

In the case where the premium vault received deposits but the collateral vault did not, means that all the TVL (minus fees) from the premium vault will be sent to the collateral vault, but since nobody minted on the collateral vault, the tokens will get stucked on the collateral vault contract.

Impact

The funds cannot be recovered by changing the controller and calling sendTokens, this is because sendTokens can only send a total amount up to finalTVL[epochId], since the collateral vault did not received deposits this value is zero:

function sendTokens(
        uint256 _id,
        uint256 _amount,
        address _receiver
    ) external onlyController epochIdExists(_id) epochHasEnded(_id) {
        if (_amount > finalTVL[_id]) revert AmountExceedsTVL();
        if (epochAccounting[_id] + _amount > finalTVL[_id])
            revert AmountExceedsTVL();
        if (!whitelistedAddresses[_receiver] && _receiver != counterPartyVault)
            revert DestinationNotAuthorized(_receiver);
        epochAccounting[_id] += _amount;
        SemiFungibleVault.asset.safeTransfer(_receiver, _amount);
    }

The scenario is very unlikely because triggerEndEpoch() can only be executed after epochEnd, meanwhile triggerNullEpoch() can be executed right after epochBegin. However, when the solution for a black swan event takes 3-5 lines of code the risk must be unacceptable.

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L81

Tool used

Manual Review

Recommendation

Add the following to the triggerEndEpoch() function:

// check if epoch qualifies for null epoch
if (
   premiumVault.totalAssets(_epochId) == 0 ||
   collateralVault.totalAssets(_epochId) == 0
) {
    revert VaultZeroTVL();
  }

Duplicate of #108

[0xRobocop]

Escalate for 10 USDC

The issue explains how the funds on the premium vault can get lost in the case an epoch gets ended instead of being marked as null.

Duplicate of #108

[sherlock-admin]

Escalate for 10 USDC

The issue explains how the funds on the premium vault can get lost in the case an epoch gets ended instead of being marked as null.

Duplicate of #108

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[hrishibhat]

Escalation accepted

Valid Duplicate of #108

[rcstanciu]

Escalation accepted

Valid Duplicate of #108

This issue's escalations have been accepted!

Contestants' payouts and scores will be updated according to the changes made on this issue.