Emissions can be sent two both the vaults (premium and collateral), and they are withdrawn proportional to the deposit amount of the user. However if either vault is empty, the emissions sent to that vault for that particular epoch is not recoverable anymore, since no user has rights to withdraw it. Thus these emission tokens are forever locked in the contract.
This can lead to unrecoverable tokens which are locked but still show up in the totalsupply of the token. This can be a problem if the token is also used for governance, since a large chuck of it would be irrecoverable. If the emission tokens are external tokens (say ARB tokens received from arbitrum), the this would result in inefficient use of capital.
carrot
medium
Emissions sent to empty vault is forever locked
Summary
Emissions sent to an empty vault is lost.
Vulnerability Detail
Emissions can be sent two both the vaults (premium and collateral), and they are withdrawn proportional to the deposit amount of the user. However if either vault is empty, the emissions sent to that vault for that particular epoch is not recoverable anymore, since no user has rights to withdraw it. Thus these emission tokens are forever locked in the contract.
This can lead to unrecoverable tokens which are locked but still show up in the totalsupply of the token. This can be a problem if the token is also used for governance, since a large chuck of it would be irrecoverable. If the emission tokens are external tokens (say ARB tokens received from arbitrum), the this would result in inefficient use of capital.
Impact
Irrecoverable emission tokens.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L630-L636
This reverts for an empty vault, since finalTVL is set to 0.
Tool used
Manual Review
Recommendation
In ControllerPeggedAssetV2.sol#triggerNullEpoch, withdraw out emission tokens to the treasury, or burn them if the vault is empty.
Duplicate of #122