search

sherlock-audit / 2024-06-leveraged-vaults-judging

9 stars 8 forks source link

ZeroTrust - `BaseStrategyVault::liquidateVaultCashBalance()` are not override in BaseStakingVault.sol #47

Closed sherlock-admin4 closed 2 months ago

sherlock-admin4 commented 2 months ago

ZeroTrust

High

BaseStrategyVault::liquidateVaultCashBalance() are not override in BaseStakingVault.sol

Summary

BaseStrategyVault::liquidateVaultCashBalance() are not override in BaseStakingVault.sol

Vulnerability Detail

The BaseStakingVault contract inherits from the BaseStrategyVault contract. In the BaseStakingVault.sol contract, the deleverageAccount function is overridden to handle the WithDrawRequest scenario. However, the liquidateVaultCashBalance() function is not overridden. If a liquidator uses liquidateVaultCashBalance() for liquidation, it will fail to handle the WithDrawRequest scenario.

function liquidateVaultCashBalance(
        address account,
        address vault,
        address liquidator,
        uint256 currencyIndex,
        int256 fCashDeposit
    ) external returns (int256 cashToLiquidator) {
        require(msg.sender == liquidator);
        return NOTIONAL.liquidateVaultCashBalance(
            account, vault, liquidator, currencyIndex, fCashDeposit
        );
    }

Impact

This results in users being unable to withdraw their funds.

Code Snippet

https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/BaseStakingVault.sol#L208

Tool used

Manual Review

Recommendation

Handle the WithDrawRequest scenario similarly to how it is done in BaseStakingVault::deleverageAccount.

sherlock-admin4 commented 2 months ago

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

Low/QA at most