Closed sherlock-admin closed 8 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid: the function takes in uint256 as argument; so the recommendation seem non-constructive
The protocol team fixed this issue in PR/commit https://github.com/dhedge/flatcoin-v1/pull/273.
xiaoming90
high
Incorrect sign being used when checking skew
Summary
The incorrect sign is being used when checking skew, leading to the
checkSkewMax
function reverting unexpectedly. As a result, the LPs will be unable to withdraw their assets under certain conditions.Vulnerability Detail
Following is the comment on the
checkSkewMax
function. Noted that the_additionalSkew
is the additional skew added by either opening a long or closing an LP position.At Line 124 below, the
stableModule.stableWithdrawQuote
function will return the amount of collateral (rETH) that the callers are expected to receive when withdrawingwithdrawAmount
amount of UNIT token. Note that the amount of collateral received (expectedAmountOut
) is a positive value and is stored in theuint256
variable.In Line 132 below, the
vault.checkSkewMax
function is executed withadditionalSkew
set to a positiveexpectedAmountOut
, which is incorrect. This is because when collateral is removed from the system, theadditionalSkew
should be a negative value indicating an outflow of collateral (rETH) from the system.https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/DelayedOrder.sol#L132
Impact
The
checkSkewMax
check will revert unexpectedly, leading to LPs being unable to withdraw their assets.Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/DelayedOrder.sol#L132
Tool used
Manual Review
Recommendation
Consider negating the
expectedAmountOut
when checking the skew to indicate an outflow of collateral (rETH) from the system.