search

sherlock-audit / 2022-09-notional-judging

4 stars 2 forks source link

GimelSec - one maturity could exhaust `VaultBorrowCapacity` #130

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

GimelSec

medium

one maturity could exhaust VaultBorrowCapacity

Summary

VaultBorrowCapacity is used for all maturities in a vault. One or a few maturity could exhaust the capacity.

Vulnerability Detail

All maturities in a vault share a borrow capacity. So if one maturity borrows too much then other maturities in the same vault cannot borrow anymore.

Impact

If totalUsedBorrowCapacity reach maxBorrowCapacity, no one can borrow anymore

Code Snippet

https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/internal/vaults/VaultConfiguration.sol#L293-L315

Tool used

Manual Review

Recommendation

Set a reasonable individual borrow capacity for all the maturities in one vault.

jeffywu commented 1 year ago

This would defeat the purpose of the borrow capacity which is to limit the overall debt exposure of a vault to a particular strategy. I consider this invalid since this is the purpose of the design altogether.