USER FUNDS ARE LOCKED IN THE CONTRACT UNTIL THE DEGPEG EVENT OCCURS, EPOCH EXPIRED OR NULL EPOCH OCCURS
Summary
User is required to deposit the funds before the start of the epoch and are not allowed to withdraw their respective assets until the epoch has been resolved or expired.
Vulnerability Detail
The user is required to deposit the funds before the start of the epoch. This is handled in the VaultV2.sol contract deposit function. It uses the epochHasNotStarted(_id) modifier to enact this condition.
The user is only allowed to withdraw the entitled assets only after the epoch has ended. This restriction is implemented in the withdraw function of the VaultV2.sol contract by using the epochHasEnded(_id) modifier.
epochHasEnded(_id) modifier passes only when the epoch is resolved. There are three scenarios under which the epoch will resolved. These three scenarios are triggerDepeg, triggerEndEpoch and triggerNullEpoch. So the user will be withdraw his deposited funds and his winnings only after one of above three scenarios are triggered.
Impact
User funds and winnings will be locked since the time of deposit until the time the epoch has been resolved. So if the user is required to withdraw his or her funds shortly after depositing due to any reason such as nominal value of his assets decreasing or wanting his assets for another emergency utility he will not be able to withdraw.
Code Snippet
function deposit(
uint256 _id,
uint256 _assets,
address _receiver
)
public
virtual
override(SemiFungibleVault)
epochIdExists(_id)
epochHasNotStarted(_id)
nonReentrant
{
...
}
Make it possible for the depositor to withdraw his deposits in case of emergency before the epoch starts. A new function should be defined in the VaultV2.sol to make the withdrawal possible before the epoch start time.
Udsen
medium
USER FUNDS ARE LOCKED IN THE CONTRACT UNTIL THE DEGPEG EVENT OCCURS, EPOCH EXPIRED OR NULL EPOCH OCCURS
Summary
User is required to deposit the funds before the start of the
epochand are not allowed to withdraw their respective assets until theepochhas been resolved or expired.Vulnerability Detail
The user is required to deposit the funds before the start of the
epoch. This is handled in theVaultV2.solcontractdepositfunction. It uses theepochHasNotStarted(_id)modifier to enact this condition.The user is only allowed to withdraw the entitled assets only after the epoch has ended. This restriction is implemented in the
withdrawfunction of theVaultV2.solcontract by using theepochHasEnded(_id)modifier.epochHasEnded(_id)modifier passes only when the epoch is resolved. There are three scenarios under which the epoch will resolved. These three scenarios aretriggerDepeg,triggerEndEpochandtriggerNullEpoch. So the user will be withdraw his deposited funds and his winnings only after one of above three scenarios are triggered.Impact
User funds and winnings will be locked since the time of deposit until the time the epoch has been resolved. So if the user is required to withdraw his or her funds shortly after depositing due to any reason such as nominal value of his assets decreasing or wanting his assets for another emergency utility he will not be able to withdraw.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/VaultV2.sol#L102
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/VaultV2.sol#L158
Tool used
VSCode and Manual Review
Recommendation
Make it possible for the depositor to withdraw his deposits in case of emergency before the epoch starts. A new function should be defined in the
VaultV2.solto make the withdrawal possible before the epoch start time.