0xvj - Attacker can lock premium vault funds on collateral vault by calling triggerEndEpoch function during NullEpoch

[sherlock-admin]

0xvj

high

Attacker can lock premium vault funds on collateral vault by calling triggerEndEpoch function during NullEpoch

Summary

An attacker can lock user funds on counterParty vault by calling triggerEndEpoch function during NullEpoch in case the triggerNullEpoch function is not called till the end of the epoch.

Vulnerability Detail

An attacker can call ControllerPeggedAssetV2.triggerEndEpoch in case of null epoch if the triggerNullEpoch function is not called till the end of the epoch. But no one should be able to call ControllerPeggedAssetV2.triggerEndEpoch even after the end of epoch if its a null epoch.

The issue is caused by the absence of a null epoch check on the ControllerPeggedAssetV2.triggerEndEpoch function.

Attack Scenario:

1. Let's say all the users together deposited 10 ether to the premium vault and no one deposited to collateral vault.
2. So its a null epoch as one of the vault is empty.
3. Epoch is started so someone can call the triggerNullEpoch function at this point.
4. But no one called triggerNullEpoch as it can be called anytime even after the end of epoch.
5. Epoch is Ended
6. Now an attacker can call triggerEndEpoch function as the epoch is ended
7. triggerEndEpoch will exchange transfer all the funds from premium vault to collateral vault.
8. This wil lock funds of premium vault user in collateral vault. As there are no user in collateral vault too premium vault funds will be locked in collateral vault forever.

Impact

An attacker can lock the funds of premium vault in collateral vault forever.

Code Snippet

Lines of code

https://github.com/Y2K-Finance/Earthquake/blob/736b2e1e51bef6daa6a5ecd1decb7d156316d795/src/v2/Controllers/ControllerPeggedAssetV2.sol#L144-L202

Tool used

Manual Review

Recommendation

Add the null epoch check to the ControllerPeggedAssetV2.triggerEndEpoch function.

function triggerEndEpoch(uint256 _marketId, uint256 _epochId) public {
        address[2] memory vaults = vaultFactory.getVaults(_marketId);

        if (vaults[0] == address(0) || vaults[1] == address(0))
            revert MarketDoesNotExist(_marketId);

        IVaultV2 premiumVault = IVaultV2(vaults[0]);
        IVaultV2 collateralVault = IVaultV2(vaults[1]);

        if (
            premiumVault.epochExists(_epochId) == false ||
            collateralVault.epochExists(_epochId) == false
        ) revert EpochNotExist();

        (, uint40 epochEnd, ) = premiumVault.getEpochConfig(_epochId);

        if (block.timestamp <= uint256(epochEnd)) revert EpochNotExpired();

        //require this function cannot be called twice in the same epoch for the same vault
        if (premiumVault.epochResolved(_epochId)) revert EpochFinishedAlready();
        if (collateralVault.epochResolved(_epochId))
            revert EpochFinishedAlready();

        // The fix
        // check if epoch qualifies for null epoch
    +  if (
    +       premiumVault.totalAssets(_epochId) == 0 ||
    +       collateralVault.totalAssets(_epochId) == 0
    +   ) {
    +       revert VaultZeroTVL();
    +   }

        // ...
    }

Duplicate of #108