In BalancedVault.sol user deposits mapping is overwritten anytime function _settle(address account) is called.
Vulnerability Detail
function _settle(address account) is a Hook that is called before every stateful operation and it Settles the vault's account on both the long and short product, along with any global or user-specific deposits/redemptions.
But it directly overwrites user deposits with what ever pending deposits are there without consideration for current user deposits
Users making multiple deposits will loose there previous deposits if currentEpochStale() is true. A malicious attacker can also call depositFor to overwrite an accounts balance if currentEpochStale() is true
josephdara
high
user deposits are overwritten
Summary
In
BalancedVault.sol
user deposits mapping is overwritten anytimefunction _settle(address account)
is called.Vulnerability Detail
function _settle(address account)
is a Hook that is called before every stateful operation and it Settles the vault's account on both the long and short product, along with any global or user-specific deposits/redemptions. But it directly overwrites user deposits with what ever pending deposits are there without consideration for current user depositsImpact
Users making multiple deposits will loose there previous deposits if
currentEpochStale()
is true. A malicious attacker can also calldepositFor
to overwrite an accounts balance ifcurrentEpochStale()
is trueCode Snippet
https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial-vaults/contracts/balanced/BalancedVault.sol#L375-L422
Tool used
Manual Review
Recommendation
change the function to be