search

sherlock-audit / 2023-03-Y2K-judging

7 stars 1 forks source link

minhtrng - Funds from premium vault can get stuck after sending to collateral vault #479

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

minhtrng

medium

Funds from premium vault can get stuck after sending to collateral vault

Summary

When an epoch ends without depeg and collateral vault has 0 TVL, funds from premium vault will get stuck in the collateral vault.

Vulnerability Detail

When an epoch ends without depeg, the premiums from premium vault will be send to the collateral vault and the claim TVL will be set accordingly:

//ControllerPeggedAssetV2.triggerEndEpoch
collateralVault.setClaimTVL(_epochId, collateralTVLAfterFee);
...
premiumVault.sendTokens(
            _epochId,
            premiumTVLAfterFee,
            address(collateralVault)
        );

If the TVL of the collateral vault has been 0 for that epoch, no one will be able to claim the funds.

The odds of that happening are low, since such an epoch could be resolved with triggerNullEpoch. However, the function triggerDepeg does account for it and forbids being called if any of the vaults has TVL 0, so triggerEndEpoch should too:

if (
    premiumVault.totalAssets(_epochId) == 0 ||
    collateralVault.totalAssets(_epochId) == 0
) {
    revert VaultZeroTVL();
}

Impact

Lock of funds

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/ae7f210d8fbf21b9abf09ef30edfa548f7ae1aef/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L183-L192

Tool used

Manual Review

Recommendation

Perform the same check (shown above) for triggerEndEpoch

Duplicate of #108