This repository has been archived by the owner on Nov 19, 2023. It is now read-only.
xiaoming90 - Inconsistent use of VAULT_ACCOUNT_MIN_TIME in vault implementation
#179
Labels
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Won't Fix
The sponsor confirmed this issue will not be fixed
Comments
T-Woodward
added
the
Sponsor Confirmed
|
Given how storage is structured, if we do not set lastUpdatedBlockTime then the prime vault account will end up paying fees on the same time portion twice. This is probably worse than not being able to exit the position twice in succession. Although this issue is correct, the exit time is 1 minute. Will mark this as Won't Fix as the change will probably more complex than the benefit to UX. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
xiaoming90
medium
Inconsistent use of
VAULT_ACCOUNT_MIN_TIMEin vault implementationSummary
There is a considerable difference in implementation behaviour when a vault has yet to mature compared to after vault settlement.
Vulnerability Detail
There is some questionable functionality with the following
requirestatement:https://github.com/sherlock-audit/2023-03-notional-0xleastwood/blob/main/contracts-v2/contracts/external/actions/VaultAccountAction.sol#L242
The
lastUpdateBlockTimevariable is updated in two cases:lastUpdateBlockTime. This is a proactive measure to prevent users from quickly entering and exiting the vault.lastUpdateBlockTimeis updated toblock.timestampafter calculating the pro-rated fee for the prime cash vault.Therefore, before a vault has matured, it is not possible to quickly enter and exit a vault. But after
Constants.VAULT_ACCOUNT_MIN_TIMEhas passed, the user can exit the vault as many times as they like. However, the same does not hold true once a vault has matured. Each time a user exits the vault, they must waitConstants.VAULT_ACCOUNT_MIN_TIMEtime again to re-exit. This seems like inconsistent behaviour.Impact
The
exitVault()function will ultimately affect prime and non-prime vault users differently. It makes sense for the codebase to be written in such a way that functions execute in-line with user expectations.Code Snippet
https://github.com/sherlock-audit/2023-03-notional-0xleastwood/blob/main/contracts-v2/contracts/external/actions/VaultAccountAction.sol#L242
https://github.com/sherlock-audit/2023-03-notional-0xleastwood/blob/main/contracts-v2/contracts/internal/vaults/VaultAccount.sol#L487-L506
https://github.com/sherlock-audit/2023-03-notional-0xleastwood/blob/main/contracts-v2/contracts/internal/vaults/VaultConfiguration.sol#L284
https://github.com/sherlock-audit/2023-03-notional-0xleastwood/blob/main/contracts-v2/contracts/internal/vaults/VaultConfiguration.sol#L257
Tool used
Manual Review
Recommendation
It might be worth adding an exception to
VaultConfiguration.settleAccountOrAccruePrimeCashFees()so that when vault fees are calculated,lastUpdatedBlockTimeis not updated toblock.timestamp.The text was updated successfully, but these errors were encountered: