warRoom - No check for zero TVL of either vault in triggerEndEpoch() leading to permanent freezing of funds

[sherlock-admin]

warRoom

high

No check for zero TVL of either vault in triggerEndEpoch() leading to permanent freezing of funds

Summary

When triggerEndEpoch() of ControllerPeggedAssetV2 is called, there is no check for zero TVL of either vault before resolving the epoch and transferring the funds to counterpartyVault

Vulnerability Detail

Where: ControllerPeggedAssetV2

Consider,

• There is no depositor in collateralVault till beginEpoch time, So collateral TVL = 0.
• There are depositors in premiumVault, so premium TVL > 0
• No one has called triggerNullEpoch() till Epoch ends.
• Now if someone calls triggerEndEpoch()
  • Epoch will be resolved
  • Funds from the premium vault will be transferred to the collateral vault but there is no collateral user to claim it. So, the funds are locked for this epoch in the collateral vault
  • Ideally, in such a scenario, premium vault users should have been able to claim their premium back (as it happens in triggerNullEpoch).

Note: We think in such scenarios, it is a huge liability for protocol and users to ensure calling triggerNullEpoch() before the trigger ends.

Impact

• Permanent freezing of funds in the collateral vault, which is a loss for premium vault user

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L144-L202

Tool used

Manual Review

Recommendation

• Check if epoch qualifies for null epoch in triggerEndEpoch()

Duplicate of #108