Users will never be able to make a deposit to a negative Triple vault due to isTriple never being set to true for the negative vault

[hats-bug-reporter[bot]]

Github username: -- Twitter username: iamandreiski Submission hash (on-chain): 0x3b762ca5b95c3efb5e16773f86a6525d10133a9dd18c03352c68d60a257fbbff Severity: medium

Description: Description

Users will never be able to deposit into the negative Triple vault due to isTriple never being set to true for the negative vault during Triple creation.

Attack Scenario

When a new Triple is created _createTriple() is invoked which among other things sets the isTriple as true for the newly created Triple vault id:

 uint256 id = _createVault();

        // calculate protocol deposit fee
        uint256 protocolDepositFee = protocolFeeAmount(userDeposit, id);

        // calculate user deposit after protocol fees
        uint256 userDepositAfterprotocolFee = userDeposit - protocolDepositFee;

        // map the resultant triple hash to the new vault ID of the triple
        triplesByHash[hash] = id;

        // map the triple's vault ID to the underlying atom vault IDs
        triples[id] = [subjectId, predicateId, objectId];

        // set this new triple's vault ID as true in the IsTriple mapping as well as its counter
        isTriple[id] = true;

When a counter/negative vault is created after _depositOnVaultCreation` is called, here if the id of the vault is "Triple" it calculates its negative/counter vault and deposits ghost shares to it:

  if (isTripleId(id)) {
            uint256 counterVaultId = getCounterIdFromTriple(id);

            // set vault totals
            _setVaultTotals(
                counterVaultId,
                vaults[counterVaultId].totalAssets + assetsForZeroAddressInCounterVault,
                vaults[counterVaultId].totalShares + sharesForZeroAddress
            );

            // mint `sharesForZeroAddress` shares to zero address to initialize the vault
            _mint(address(0), counterVaultId, sharesForZeroAddress);
        }

The problem is, whenever users want to deposit to the counter vault, they can't as the following condition in depositTriple will always fail:

 if (!isTripleId(id)) {
            revert Errors.MultiVault_VaultNotTriple();
        }

Here is how isTripleId(id) is decided:

function isTripleId(uint256 id) public view returns (bool) {
        bool isCounterTriple = id > type(uint256).max / 2;
        return isCounterTriple ? isTriple[type(uint256).max - id] : isTriple[id];
    }

Since the vault in which users want to deposit will be a counterTriple or its id would be above type(uint256).max / 2, it will check whether isTriple[type(uint256).max - id] is true, but since it was never set to true when creating the Triple vault, it will always return false.

Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional)

[mihailo-maksa]

This report is invalid due to the following reasons:

1. Correct Implementation: The depositTriple function correctly verifies whether a vault is a triple vault using the isTripleId function, which checks both positive and counter vaults. The logic is thoroughly tested and proven correct.
2. Unit Tests: Comprehensive unit tests validate that the isTripleId function works as expected, confirming that deposits to negative triple vaults are handled correctly.

In conclusion, the current implementation is correct and validated through testing. Therefore, this issue is invalid.