But the _accounts[owner].debt can be equal to or less than zero as noted in the comment of AlchemistV2.sol.
// It is possible that the amount of debt which is repayable is equal to or less than zero after realizing the
// credit that was earned since the last update. We do not want to perform a noop so we need to check that the
// amount of debt to repay is greater than zero.
So current_debt can underflow in Vault._calculate_max_mintable_amount. If _calculate_max_mintable_amount returns huge result due to the underflow, this cap will not work.
XKET
medium
Underflow can ruin mint from Alchemix logic
Summary
There can be an underflow in
Vault._calculate_max_mintable_amount
and it can ruin minting from Alchemix.Vulnerability Detail
Vault._calculate_max_mintable_amount
getscurrent_debt
from the first item of the result ofAlchemistV2.accounts
And
AlchemistV2.accounts
returns_calculateUnrealizedDebt
as the first item of the result.In
_calculateUnrealizedDebt
, the return value is initialized by _accounts[owner].debt and then subtracted by unrealized credits.But the
_accounts[owner].debt
can be equal to or less than zero as noted in the comment ofAlchemistV2.sol
.So
current_debt
can underflow inVault._calculate_max_mintable_amount
. If_calculate_max_mintable_amount
returns huge result due to the underflow, this cap will not work.And mint more amount than expected from alchemix here.
Impact
Alchemix integration will be wrong.
Code Snippet
https://github.com/sherlock-audit/2023-02-fair-funding/blob/main/fair-funding/contracts/Vault.vy#L269 https://github.com/alchemix-finance/v2-contracts/blob/2b4ebfa619c4f3dd6ee48098a81e70ddb3369e53/contracts/AlchemistV2.sol#L143-L156 https://github.com/alchemix-finance/v2-contracts/blob/2b4ebfa619c4f3dd6ee48098a81e70ddb3369e53/contracts/AlchemistV2.sol#L1520-L1546 https://github.com/alchemix-finance/v2-contracts/blob/2b4ebfa619c4f3dd6ee48098a81e70ddb3369e53/contracts/AlchemistV2.sol#L718-L720 https://github.com/sherlock-audit/2023-02-fair-funding/blob/main/fair-funding/contracts/Vault.vy#L237-L238 https://github.com/sherlock-audit/2023-02-fair-funding/blob/main/fair-funding/contracts/Vault.vy#L227-L230
Tool used
Manual Review
Recommendation
Use safeCast equivalent instead of naive convert