WETH (assetToken) & USDC (quoteToken) can be stuck forever in PerpDepository.sol
Summary
There is no way to rescue assetToken (WETH) and quoteToken (USDC) form the PerpDepository.sol contract.
Due to accounting problems & reliance on external sources (Like uniswap V3 Swaps, and Perpetual protocol deposits and withdraws, yield, etc), WETH tokens can be stuck forever in the contract.
Vulnerability Detail
The PerpDepository.sol uses perpetuals protocol to manage delta neutral strategies,
and it manages 2 main tokens:
1) quoteToken - USDC
2) assetToken - WETH
Due to accounting issues and swaps slippage some WETH & USDC might get stuck in the contract and it would be never be retrievable, by the admins or by anyone.
The two tokens are being held by the contract in many occasions:
1) When users mint UXD tokens using the UXDController.sol, their collateral is being sent to the depository and then deposited into perpetual protocol.
2) When admin calls the depositInsurance function usdc is being sent to the depository
3) When a user calls the rebalance function which triggers the _rebalanceNegativePnlWithSwap which swaps WETH for USDC on uniswapV3
During all these process tokens might be stayed in the contract and locked.
Since there is no way to retrieve tokens from the contract they could be lost forever.
Impact
User's & Protocol - USDC & WETH might get lost forever
JohnnyTime
high
WETH (
assetToken
) & USDC (quoteToken
) can be stuck forever inPerpDepository.sol
Summary
There is no way to rescue
assetToken
(WETH) andquoteToken
(USDC) form thePerpDepository.sol
contract. Due to accounting problems & reliance on external sources (Like uniswap V3 Swaps, and Perpetual protocol deposits and withdraws, yield, etc), WETH tokens can be stuck forever in the contract.Vulnerability Detail
The
PerpDepository.sol
uses perpetuals protocol to manage delta neutral strategies, and it manages 2 main tokens: 1)quoteToken
- USDC 2)assetToken
- WETHDue to accounting issues and swaps slippage some WETH & USDC might get stuck in the contract and it would be never be retrievable, by the admins or by anyone.
The two tokens are being held by the contract in many occasions: 1) When users mint UXD tokens using the
UXDController.sol
, their collateral is being sent to the depository and then deposited into perpetual protocol. 2) When admin calls thedepositInsurance
function usdc is being sent to the depository 3) When a user calls therebalance
function which triggers the_rebalanceNegativePnlWithSwap
which swaps WETH for USDC on uniswapV3 During all these process tokens might be stayed in the contract and locked. Since there is no way to retrieve tokens from the contract they could be lost forever.Impact
User's & Protocol - USDC & WETH might get lost forever
Code Snippet
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L499-L523 https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L240-L253 https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L179-L202
Tool used
Manual Review
Recommendation
Create another onlyOwner function which will allow withdrawing and rescuing locked WETH and USDC from the depository.