function _prepareAnnouncementOrder(uint256 keeperFee) internal returns (uint64 executableAtTime) {
// Settle funding fees to not encounter the `MaxSkewReached` error.
// This error could happen if the funding fees are not settled for a long time and the market is skewed long
// for a long time.
vault.settleFundingFees();
so, uint256(int256(5,4992013933095422080) + (-69,297708333333333480))
=uint256(-14305694400237911400) ,the value of marginDepositedTotal will be very huge(as we can see, 1.157e77)
Impact
The vulnerability can result in the contract reverting due to an overflow, disrupting the functionality of the contract.
CL001
medium
Unexpected revert during announce and execute delayed orders
Summary
announce and execute delayed orders can revert due to an arithmetic overflow
Vulnerability Detail
User decides delayed deposit into the stable LP:
frist ,calls
announceStableDeposit()
method, https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/DelayedOrder.sol#L67and then,
executeDeposit()
https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/StableModule.sol#L61The problem is that the
prepareAnnouncementOrder
function must calls thesettleFundingFees()
function each time.https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/DelayedOrder.sol#L634
settleFundingFees()
method is used to settle the funding fees between longs and LPs. https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/FlatcoinVault.sol#L228test poc
https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/FlatcoinVault.sol#L232 at this time ,
_globalPositions.marginDepositedTotal
=5,4992013933095422080,_fundingFees
= -69,297708333333333480_globalPositions.marginDepositedTotal > _fundingFees
so, uint256(int256(5,4992013933095422080) + (-69,297708333333333480)) =uint256(-14305694400237911400) ,the value of
marginDepositedTotal
will be very huge(as we can see, 1.157e77)Impact
The vulnerability can result in the contract reverting due to an overflow, disrupting the functionality of the contract.
Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/FlatcoinVault.sol#L228
Tool used
Manual Review
Recommendation
need to take into account the case where
marginDepositedTotal
plus_fundingFees
is negativeDuplicate of #195