Skip to content
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.

holyhansss - [MED] Anyone can trigger TriggerEndEpoch even though one of the vault is empty. #361

Closed
sherlock-admin opened this issue Mar 27, 2023 · 0 comments
Closed

holyhansss - [MED] Anyone can trigger TriggerEndEpoch even though one of the vault is empty. #361

sherlock-admin opened this issue Mar 27, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Mar 27, 2023
edited by github-actions bot
Loading

holyhansss

medium

[MED] Anyone can trigger TriggerEndEpoch even though one of the vault is empty.

Summary

triggerNullEpoch() is a function that can be executed when either the premium vault or the collateral vault has a TotalSupply of zero. However, if the TotalSupply of one of the vaults is 0 and triggerNullEpoch() is not called until the end of the epoch, the triggerEndEpoch() function can be called and the user's fund can be locked for life.

Vulnerability Detail

If any of the vaults have a totalAssets() of 0, depositors should always be guaranteed to get their funds back. However, the current implementation does not. If totalAssets() is 0 and triggerNullEpoch() has not been called, someone can maliciously call triggerEndEpoch(). The user who made the deposit will never get the fund back, and the fund will be locked in the contract.

This is my test file for the Vulnerability.
The test depicts a user making a deposit but not getting their ether back when they withdraw.

function testTriggerEndEpochWhenNullEpoch() public { 
        console.log("Before        :", MintableToken(UNDERLYING).balanceOf(alice));
        vm.startPrank(alice);
        VaultV2(premium).deposit(epochId, 1 ether, alice);
        vm.stopPrank();
        skip(10000000); // more than 1 day

				// trigger triggerEndEpoch instead of triggerNullEpoch()
        controller.triggerEndEpoch(marketId, epochId);

        vm.startPrank(alice);
        // vm.expectRevert();
        VaultV2(premium).withdraw(epochId, 1 ether, alice, alice);
        vm.stopPrank();
        console.log("After Withdraw: ", MintableToken(UNDERLYING).balanceOf(alice));
        /*
        result: never get return funds
            Before        : 100000000000000000000
            After Withdraw:  99000000000000000000
        */
    }

full test code: https://gist.github.com/holyhansss/bc34b9e0b809f552c02fc2abf82bc5f8#file-testtriggerendepochwhennullepoch-t-sol-L106

Impact

user’s funds lock into the vault

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L144
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L208

Tool used

Manual Review

Recommendation

Add a check for null epoch in triggerEndEpoch().

	// code from triggerDepeg()
	// check if epoch qualifies for null epoch
  if (
      premiumVault.totalAssets(_epochId) == 0 ||
      collateralVault.totalAssets(_epochId) == 0
  ) {
      revert VaultZeroTVL();
  }

Duplicate of #108
@github-actions github-actions bot closed this as completed Apr 3, 2023
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Apr 3, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin