Closed sherlock-admin closed 8 months ago
2 comment(s) were left on this issue during the judging contest.
0xLogos commented:
low, there's correct check in stable withdraw execution. After doing some math, you'll see that the correct check is more strict, so the announce function won't revert falsely.
takarez commented:
invalid
The protocol team fixed this issue in PR/commit https://github.com/dhedge/flatcoin-v1/pull/273.
dany.armstrong90
high
FlatcoinVault.sol#checkSkewMax function is called with error.
Summary
FlatcoinVault.sol#checkSkewMax
function is called with wrong parameter in theDelayedOrder.sol#announceStableWithdraw
function. SoFlatcoinVault.sol#checkSkewMax
will be malfunctioned.Vulnerability Detail
FlatcoinVault.sol#checkSkewMax
function is the following.From
L295
andL303
, we can see that_additionalSkew
should be the amount of collateral to be added into long positions inside the pool. On the other hand,DelayedOrder.sol#announceStableWithdraw
function is the following.Since
announceStableWithdraw
function decrease thestableCollateralTotal
ofFlatcoinVault.sol#L303
, it should pass the amount of decreased stable collateral toFlatcoinVault.sol#checkSkewMax
function. (See Recommendation) But nowexepectedAmountOut
ofL132
is the amount of collateral which are refunded from pool to user. ThusFlatcoinVault.sol#checkSkewMax
will be malfunctioned.Impact
FlatcoinVault.sol#checkSkewMax
will be malfunctioned. That is, the system may be too skewed towards longs after redeeming stables, or redeeming stables may be failed while system is not too skewed towards longs.Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/DelayedOrder.sol#L132
Tool used
Manual Review
Recommendation
Add the amount of stable collateral to remove as a parameter to
FlatcoinVault.sol#checkSkewMax
function and ModifyDelayedOrder.sol#announceStableWithdraw
function to pass thestableCollateralAmount
which corresponds towithdrawAmount
. That is, modifyFlatcoinVault.sol#checkSkewMax
function as follows.Then modify
DelayedOrder.sol#announceStableWithdraw
function as follows.There are several places where
vault.checkSkewMax
function is called so all such calls should be updated with new signature.Duplicate of #193