Closed sherlock-admin closed 1 year ago
Can the auditor provide a POC that the deposit is not applied to repayment? There is an existing unit tests that validates that this does happen: https://github.com/notional-finance/contracts-v2/blob/bcb145c725d90e65f99505d44275e62f37398264/tests/stateful/vaults/test_vault_roll.py#L240-L241
The reason is that the account accrues a positive or negative net cash balance throughout the transaction so the placement of the deposit within the parent function does not have an effect. I believe this report is invalid unless the audtor can provide a POC.
xiaoming90
high
Deposit Cannot Be Used For Repayment When Rolling Position
Summary
The user's deposit cannot be used for repayment when rolling a position.
Vulnerability Detail
During rolling over a position, based on the comments below, it was understood that the vault allows a deposit from the user to be used as repayment for the lending. This is to allow an account to roll its position even if they are close to the max borrow capacity. However, it was observed that it is not possible for the users to do so.
https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/external/actions/VaultAccountAction.sol#L135
Per the source code below, the deposit is credited into the user's vault account after the repayment. The repayment is executed at Line 122 via the
vaultAccount.lendToExitVault
function first, and then the user's deposit is credited into their account at Line 138 via thedepositForRollPosition
function.https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/external/actions/VaultAccountAction.sol#L87
Impact
Users will not be able to roll their position if there are close to the max borrow capacity. Thus, their options are only limited to exiting the existing vault OR waiting until the existing vault has matured/settled before exiting. If these options are suboptimal, this will result in a loss of gain/assets for the users because they would have been able to gain more assets if their positions were rolled over.
Code Snippet
https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/external/actions/VaultAccountAction.sol#L135 https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/external/actions/VaultAccountAction.sol#L87
Tool used
Manual Review
Recommendation
It is recommended to update the
rollVaultPosition
implementation to allow the user's deposit to be used for repayment.