You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A flaw in the reserve calculation logic will cause an accumulation of inaccessible Pegged Assets (PA) as the Liquidity Vault will not consider stagnant PA balances in rationing on new issuance.
The totalPa calculation only considers the current paBalance and addedPa (redeemed using CT), omitting the stagnatedPaBalance. Both paBalance and stagnatedPaBalance are then set to the new attributedToWithdraw value, effectively overwriting any previous stagnant PA without including it in new calculations. This leads to a continuous accumulation of inaccessible PA with each reserve operation.
According to the comment in the code also since PA are not used for providing liquidity to AMM, they should be rationed again at next issuance:
// FIXME : this is only temporary, for now
// we trate PA the same as RA, thus we also separate PA
// the difference is the PA here isn't being used as anything
// and for now will just sit there until rationed again at next expiry.
There is another issue that the stagnatedPaBalance is incorrectly set to attributedToWithdraw instead of attributedToAmm.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
A reserve operation occurs during issuance, adding new PA to the system through redemption of CT.
The reserve function calculates totalPa without including stagnatedPaBalance.
New paBalance and stagnatedPaBalance are set, overwriting previous values.
Steps 1-3 repeat with each new reserve operation, accumulating inaccessible PA.
Impact
The users suffer an approximate loss equal to the cumulative amount of PA that becomes inaccessible over time. Users cannot redeem the full amount of PA that should be available in the system.
PoC
No response
Mitigation
Modify the reserve function to include stagnatedPaBalance in the totalPa calculation and correct the stagnatedPaBalance assignment.
0xNirix
High
Liquidity Vault will accumulate inaccessible Pegged Assets (PA) affecting users funds
Summary
A flaw in the reserve calculation logic will cause an accumulation of inaccessible Pegged Assets (PA) as the Liquidity Vault will not consider stagnant PA balances in rationing on new issuance.
Root Cause
In VaultPoolLibrary, the reserve function fails to include the stagnatedPaBalance in its calculations.
https://github.com/sherlock-audit/2024-08-cork-protocol/blob/main/Depeg-swap/contracts/libraries/VaultPoolLib.sol#L26-L28
The totalPa calculation only considers the current paBalance and addedPa (redeemed using CT), omitting the stagnatedPaBalance. Both paBalance and stagnatedPaBalance are then set to the new attributedToWithdraw value, effectively overwriting any previous stagnant PA without including it in new calculations. This leads to a continuous accumulation of inaccessible PA with each reserve operation.
According to the comment in the code also since PA are not used for providing liquidity to AMM, they should be rationed again at next issuance:
There is another issue that the stagnatedPaBalance is incorrectly set to
attributedToWithdraw
instead ofattributedToAmm
.Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
Impact
The users suffer an approximate loss equal to the cumulative amount of PA that becomes inaccessible over time. Users cannot redeem the full amount of PA that should be available in the system.
PoC
No response
Mitigation
Modify the reserve function to include stagnatedPaBalance in the totalPa calculation and correct the stagnatedPaBalance assignment.
Duplicate of #191
The text was updated successfully, but these errors were encountered: