Users Unable To Enter Vault After Emergency Settlement
Summary
Users will not be able to enter a vault after an emergency settlement has occurred.
Vulnerability Detail
Note 1: I have clarified with the sponsor and noted that they are already aware of the fact that no users can enter the vault after an emergency settlement and they further clarified that the users could still exit the vault by taking their proportional share of cash and strategy tokens, and this is their current design at this stage. However, for completeness' sake and clarity, I will document this limitation observed during the audit in this report as this was not explicitly documented anywhere else.
Note 2: This issue affects MetaStable2 and Boosted3 balancer leverage vaults
There might be a case where the vault owns too much of the Balancer pool. The purpose of an emergency settlement is to allow the vault to sell off some of the holdings of the Balancer pool to reduce the vault's holding to bring it back to a healthy ratio.
Based on the current design, the users can only enter the vault if the vault has no asset cash.
File: VaultState.sol
206: /// @param vaultData calldata to pass to the vault
207: function enterMaturity(
208: VaultState memory vaultState,
209: VaultAccount memory vaultAccount,
210: VaultConfig memory vaultConfig,
211: uint256 strategyTokenDeposit,
212: uint256 additionalUnderlyingExternal,
213: bytes calldata vaultData
214: ) internal returns (uint256 strategyTokensAdded) {
215: // If the vault state is holding asset cash this would mean that there is some sort of emergency de-risking
216: // event or the vault is in the process of settling debts. In both cases, we do not allow accounts to enter
217: // the vault.
218: require(vaultState.totalAssetCash == 0);
219: // An account cannot enter a vault with a negative temp cash balance. This can happen during roll vault where
220: // an insufficient amount is borrowed to repay its previous maturity debt.
221: require(vaultAccount.tempCashBalance >= 0);
However, after an emergency settlement, there will be some asset cash in the vault.
Proof-of-Concept
The following PoC shows that after an emergency settlement, the users will not be able to enter the vault again.
Before the emergency settlement, the script asserts that there is no asset cash (assert vaultState["totalAssetCash"] == 0). After the emergency settlement, the script assets that there is some asset cash in the vault (assert vaultState["totalAssetCash"] > 0). At the end of the script, it assets that the user's attempt to enter the vault has reverted.
It is recommended to allow users to enter the vault after the emergency settlement. Alternatively, document the impact of an emergency settlement so that the users will be aware of any side effects of an emergency settlement.
xiaoming90
medium
Users Unable To Enter Vault After Emergency Settlement
Summary
Users will not be able to enter a vault after an emergency settlement has occurred.
Vulnerability Detail
There might be a case where the vault owns too much of the Balancer pool. The purpose of an emergency settlement is to allow the vault to sell off some of the holdings of the Balancer pool to reduce the vault's holding to bring it back to a healthy ratio.
Based on the current design, the users can only enter the vault if the vault has no asset cash.
https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/internal/vaults/VaultState.sol#L207
However, after an emergency settlement, there will be some asset cash in the vault.
Proof-of-Concept
The following PoC shows that after an emergency settlement, the users will not be able to enter the vault again.
Before the emergency settlement, the script asserts that there is no asset cash (
assert vaultState["totalAssetCash"] == 0
). After the emergency settlement, the script assets that there is some asset cash in the vault (assert vaultState["totalAssetCash"] > 0
). At the end of the script, it assets that the user's attempt to enter the vault has reverted.Impact
After an emergency settlement, the vault will be "locked up". Users will not be able to enter the vault, and they are only allowed to exit the vault.
Code Snippet
https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/internal/vaults/VaultState.sol#L207
Tool used
Manual Review
Recommendation
It is recommended to allow users to enter the vault after the emergency settlement. Alternatively, document the impact of an emergency settlement so that the users will be aware of any side effects of an emergency settlement.