This repository has been archived by the owner on Nov 19, 2023. It is now read-only.
xiaoming90 - Debt cannot be repaid without redeeming vault share #191
Labels
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
xiaoming90
medium
Debt cannot be repaid without redeeming vault share
Summary
Debt cannot be repaid without redeeming the vault share. As such, users have to redeem a certain amount of vault shares/strategy tokens at the current market price to work around this issue, which deprives users of potential gains from their vault shares if they maintain ownership until the end.
Vulnerability Detail
https://github.com/sherlock-audit/2023-03-notional/blob/main/contracts-v2/contracts/external/actions/VaultAccountAction.sol#L277
There is a valid scenario where users want to repay debt without redeeming their vault shares/strategy tokens (mentioned in the comments above "or if it is set to zero" at Line 251-263). In this case, the users will call
exitVault
withvaultSharesToRedeem
parameter set to zero. The entire debt to be repaid will then be recovered directly from the account's wallet.Following is the function trace of the
VaultAccountAction.exitVault
:https://github.com/notional-finance/leveraged-vaults/blob/c707f7781e36d7a1259214dde2221f892a81a9c1/contracts/vaults/common/internal/strategy/StrategyUtils.sol#L153
The problem is that if the vault shares/strategy tokens to be redeemed are zero, the
poolClaim
will be zero and cause a revert within theStrategyUtils._redeemStrategyTokens
function call. Thus, users who want to repay debt without redeeming their vault shares/strategy tokens will be unable to do so.Impact
Users cannot repay debt without redeeming their vault shares/strategy tokens. To do so, they have to redeem a certain amount of vault shares/strategy tokens at the current market price to work around this issue so that
poolClaim > 0
, which deprives users of potential gains from their vault shares if they maintain ownership until the end.Code Snippet
https://github.com/sherlock-audit/2023-03-notional/blob/main/contracts-v2/contracts/external/actions/VaultAccountAction.sol#L277
Tool used
Manual Review
Recommendation
Within the
VaultConfiguration.redeemWithDebtRepayment
function, skip the vault share redemption ifvaultShares
is zero. In this case, theamountTransferred
will be zero, and the subsequent code will attempt to recover the entireunderlyingExternalToRepay
amount directly from account's wallet.Alternatively, update the
StrategyUtils._redeemStrategyTokens
function to handle zero vault share appropriately. However, note that the revert at Line 154 is added as part of mitigation to the "minting zero-share" bug in the past audit. Therefore, any changes to this part of the code must ensure that the "minting zero-share" bug is not being re-introduced. Removing the code at 153-155 might result in the user's vault share being "burned" but no assets in return under certain conditions.The text was updated successfully, but these errors were encountered: