0x73696d616f - Withdrawing all lv
before expiry will lead to lost funds in the Vault
#211
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A Medium severity issue.
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
0x73696d616f
Medium
Withdrawing all
lv
before expiry will lead to lost funds in the VaultSummary
VaultLib:redeemEarly() redeems users' liquidity vault positions,
lv
forRa
, before expiry. After expiry, it is not possible to deposit into the vault or redeem early.Whenever all users redeem early, when it gets to the expiry date, VaultLib::_liquidatedLp() is called to remove the lp position from the
AMM
intoRa
andCt
(redeem from thePSM
into moreRa
andPa
) and split among alllv
holders.However, as the total supply of
lv
is0
due to users having redeemed all their positions viaVaultLib::redeemEarly()
, when it gets to VaultPoolLib::reserve(), it reverts due to a division by0
error, never allowing theVault::_liquidatedLp()
call to go through.As the
Ds
has expired, it is also not possible to deposit into it to increase thelv
supply, so all funds are forever stuck.Root Cause
In
MathHelper:134
, theratePerLv
reverts due to division by 0. It should calculate the rate after the return guard that checks if thetotalLvIssued == 0
.Internal pre-conditions
External pre-conditions
None.
Attack Path
Vault::redeemEarlyLv()
.Ds
expires and there is nolv
tokens, making all funds stuck.Impact
All funds are stuck.
PoC
The
MathHelper
separates liquidity by calculating first theratePerLv
, which will trigger a division by 0 revert.Mitigation
The
MathHelper
should place the return guard first:The text was updated successfully, but these errors were encountered: