An attacker can take advantage of null epoch to play arbitrage
Summary
An attacker can take advantage of null epoch where no funds are deposited to collateral vault to play arbitrage by depositing Infinitesimally small value to the collateral vault.
Vulnerability Detail
During a null epoch where no funds are deposited in the collateral vault, an attacker can take advantage of this situation by depositing an infinitesimally small value to the collateral vault and potentially play arbitrage to make guaranteed profits.
Attack scenario:
Users deposited funds to the premium vault right after the epoch begins.
No users are interested to take risk and deposit in collateral vault so collateral vault has no deposits.
Deposit period is about to end and an attacker noticed that collateral vault is empty and premium vault has some funds in it.
Now attacker deposits an infinitesimally small fund for example 1 Wei to the collateral vault.
Epoch is started.
At this state attacker is in a position where make profits in both scenarios regardless of whether a depeg event occurs or not.
If depeg occurs his one wei will be transfered to premium vault and he will get all the funds in the premium vault.
If depeg doesn't occurs attacker will get both his 1 wei and funds in the premium vault.
To fix this issue an epoch with collateralTVL < premiumTVL should be considered a NullEpoch.
Consider the collateralVault.totalAssets(_epochId) < premiumVault.totalAssets(_epochId) condition also as a NullEpoch condition by adding that condition to the if block in collateralVault.triggerDepeg and collateralVault.triggerEndEpoch functions so that they will revert if collateralTVL < premiumTVL.
function triggerDepeg(uint256 _marketId, uint256 _epochId) public {
address[2] memory vaults = vaultFactory.getVaults(_marketId);
if (vaults[0] == address(0) || vaults[1] == address(0))
revert MarketDoesNotExist(_marketId);
// ...
// The Fix
// check if epoch qualifies for null epoch
if (
premiumVault.totalAssets(_epochId) == 0 ||
collateralVault.totalAssets(_epochId) == 0 ||
collateralVault.totalAssets(_epochId) < collateralVault.totalAssets(_epochId)
) {
revert VaultZeroTVL();
}
// ...
}
0xvj
high
An attacker can take advantage of null epoch to play arbitrage
Summary
An attacker can take advantage of null epoch where no funds are deposited to collateral vault to play arbitrage by depositing Infinitesimally small value to the collateral vault.
Vulnerability Detail
During a null epoch where no funds are deposited in the collateral vault, an attacker can take advantage of this situation by depositing an infinitesimally small value to the collateral vault and potentially play arbitrage to make guaranteed profits.
Attack scenario:
Impact
An attacker can steal funds of premium vault .
Code Snippet
Lines Of Code
ControllerPeggedAssetV2.triggerDepeg
function: https://github.com/Y2K-Finance/Earthquake/blob/736b2e1e51bef6daa6a5ecd1decb7d156316d795/src/v2/Controllers/ControllerPeggedAssetV2.sol#L51-L138ControllerPeggedAssetV2.triggerEndEpoch
function: https://github.com/Y2K-Finance/Earthquake/blob/736b2e1e51bef6daa6a5ecd1decb7d156316d795/src/v2/Controllers/ControllerPeggedAssetV2.sol#L144-L202Tool used
Manual Review
Recommendation
collateralTVL < premiumTVL
should be considered aNullEpoch
.Consider the
collateralVault.totalAssets(_epochId) < premiumVault.totalAssets(_epochId)
condition also as a NullEpoch condition by adding that condition to the if block incollateralVault.triggerDepeg
andcollateralVault.triggerEndEpoch
functions so that they will revert ifcollateralTVL < premiumTVL
.Duplicate of #392