0xNirix - Liquidity Vault will accumulate inaccessible Pegged Assets (PA) affecting users funds

[sherlock-admin2]

0xNirix

High

Liquidity Vault will accumulate inaccessible Pegged Assets (PA) affecting users funds

Summary

A flaw in the reserve calculation logic will cause an accumulation of inaccessible Pegged Assets (PA) as the Liquidity Vault will not consider stagnant PA balances in rationing on new issuance.

Root Cause

In VaultPoolLibrary, the reserve function fails to include the stagnatedPaBalance in its calculations.
https://github.com/sherlock-audit/2024-08-cork-protocol/blob/main/Depeg-swap/contracts/libraries/VaultPoolLib.sol#L26-L28

function reserve(VaultPool storage self, uint256 totalLvIssued, uint256 addedRa, uint256 addedPa) internal {
    // ... (RA handling)

    // PA
    uint256 totalPa = self.withdrawalPool.paBalance + addedPa;
    (attributedToWithdraw, attributedToAmm, ratePerLv) =
        MathHelper.separateLiquidity(totalPa, totalLvIssued, totalLvWithdrawn);

    self.withdrawalPool.paBalance = attributedToWithdraw;
    self.withdrawalPool.stagnatedPaBalance = attributedToWithdraw;
    self.withdrawalPool.paExchangeRate = ratePerLv;
}

The totalPa calculation only considers the current paBalance and addedPa (redeemed using CT), omitting the stagnatedPaBalance. Both paBalance and stagnatedPaBalance are then set to the new attributedToWithdraw value, effectively overwriting any previous stagnant PA without including it in new calculations. This leads to a continuous accumulation of inaccessible PA with each reserve operation.
According to the comment in the code also since PA are not used for providing liquidity to AMM, they should be rationed again at next issuance:

// FIXME : this is only temporary, for now

// we trate PA the same as RA, thus we also separate PA
// the difference is the PA here isn't being used as anything
// and for now will just sit there until rationed again at next expiry.

There is another issue that the stagnatedPaBalance is incorrectly set to attributedToWithdraw instead of attributedToAmm.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

1. A reserve operation occurs during issuance, adding new PA to the system through redemption of CT.
2. The reserve function calculates totalPa without including stagnatedPaBalance.
3. New paBalance and stagnatedPaBalance are set, overwriting previous values.
4. Steps 1-3 repeat with each new reserve operation, accumulating inaccessible PA.

Impact

The users suffer an approximate loss equal to the cumulative amount of PA that becomes inaccessible over time. Users cannot redeem the full amount of PA that should be available in the system.

PoC

No response

Mitigation

Modify the reserve function to include stagnatedPaBalance in the totalPa calculation and correct the stagnatedPaBalance assignment.

Duplicate of #191