eeyore - Premature collateralization check in the BaseStakingVault.initiateWithdraw() function can leave accounts undercollateralized
#56
Comments
github-actions
bot
added
the
Excluded
|
2 comment(s) were left on this issue during the judging contest. 0xmystery commented:
Hash01011122 commented:
|
sherlock-admin4
changed the title
BaseStakingVault.initiateWithdraw() function can leave accounts undercollateralizedBaseStakingVault.initiateWithdraw() function can leave accounts undercollateralized
|
I think this is a valid finding. Medium is a reasonable severity imo. @jeffywu this reinforces the need to value withdraw requests as if they were still the staked asset except in the very strict case where we know exactly what we will get upon unstaking and exactly when we will get it |
|
To simplify the issue described, let's illustrate it using the Before initiating a withdrawal, the vault shares' value is calculated based on the rsETH/WETH price. After a withdrawal request, the calculation is based on the stETH/WETH price. In a situation where, for some reason, the stETH price drops compared to rsETH, the user's shares' value will also drop after initiating the withdrawal request, leading to the position becoming unhealthy for both the user and the protocol. In such a case, it is better to block the initiation of the withdrawal. The better operation for the user or the Notional protocol in such cases is to close the position via |
|
Escalate. This is a valid medium issue. |
The escalation could not be created because you are not exceeding the escalation threshold. You can view the required number of additional valid issues/judging contest payouts in your Profile page, |
|
Escalate. Escalating this issue on behalf of the submitter. Please review the above comments. Thanks. |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
|
Agree with the escalation, planning to accept it and validate with medium severity. @mystery0x are there additional duplicates? |
|
I believe it is unique. |
sherlock-admin2
added
Reward
|
Result: |
|
Escalations have been resolved successfully! Escalation status:
|
sherlock-admin4
added
the
Escalation Resolved
sherlock-admin3
added
Sponsor Confirmed
|
The protocol team fixed this issue in the following PRs/commits: |
|
The Lead Senior Watson signed off on the fix. |
* fix: adding post mint and redeem hooks * test: changes to base tests * config: changes to config * feat: changes to global * feat: changes to trading * feat: changes to utils * feat: changes to single sided lp * feat: vault storage * fix: misc fixes * fix: staking vaults * fix: solidity versions * fix: test build * fix: adding staking harness * fix: adding initialization * fix: initial test bugs * fix: weETH valuation * fix: deleverage collateral check * fix: initial harness compiling * fix: initial test running * fix: acceptance tests passing * test: migrated some tests * fix: withdraw tests * test: adding deleverage test * fix: adding liquidation tests * test: withdraw request * test: finalize withdraws manual * test: tests passing * fix: single sided lp tests with vault rewarder * fix: putting rewarder tests in * fix: reward tests running * fix: vault rewarder address * fix: initial staking harness * fix: adding staking harness * fix: initial PT vault build * fix: moving ethena vault code * fix: moving etherfi code * feat: adding pendle implementations * fix: staking harness to use USDC * fix: curve v2 adapter for trading * test: basic tests passing * fix: adding secondary trading on withdraw * fix tests * fix: trading on redemption * fix: ethena vault config * fix: switch ethena vault to sell sDAI * fix warnings * fix: more liquidation tests passing * fix: ethan liquidation tests * pendle harness build * fix: initial tests passing * fix: adding pendle oracle * fix: test deal token error * fix: changing pendle liquidation discount * fix: all tests passing * fix: etherfi borrow currency * fix: adding more documentation * change mainnet fork block * properly update data seed files * fix arbitrum tests * fix test SingleSidedLP:Convex:crvUSD/[USDT] * fix: can finalize withdraws * fix: refactor withdraw valuation * fix: pendle expiration tests * fix: pendle pt valuation * remove flag * fix: remove redundant code path * fix: initial commit * fix: vault changes * fix: vault changes * fix: some tests passing * fix: fixing more tests * fix: updated remaining tests * fix: split withdraw bug * fix: new test * fix: remaining tests * fix: split withdraw reqest bug * feat: add PendlePTKelp vault * update oracle address, fix tests * Address CR comments * add test_canTriggerExtraStep * fix tests * fix: run tests * feat: adding generic vault * feat: update generate tests * fix: changes from merge * fix: adding has withdraw requests * fix: update oracle address for network * fix: merge kelp harness * fix: base tests passing * fix: move generation config * fix: initial pendle test generation * fix: mainnet tests passing * fix: vault rewarder * fix: more pendle tests * fix: pendle dex test * fix: adding camelot dex * fix: update usde pt * fix: adding camelot adapter * fix: support configurable dex * fix: adding more PT vaults * fix: approval bug * fix: update dex information * fix: mainnet tests passing * fix: update arbitrum pendle tests * fix: update deployment addresses * test: add balancer v2 batch trade * fix: add given out batch trade * fix: remove trade amount filling * fix: add some comments * fix: audit issue #60 * fix: switch to using getDecimals * fix: sherlock-audit/2024-06-leveraged-vaults-judging#73 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#72 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#70 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#66 * test: adding pendle oracle test * fix: sherlock-audit/2024-06-leveraged-vaults-judging#69 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#64 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#43 * fix: audit issue #18 * fix: move slippage check * fix: add comment back * fix: sherlock-audit/2024-06-leveraged-vaults-judging#56 * test: adding test that catches math underflow * fix: adding test for vault shares * fix: sherlock-audit/2024-06-leveraged-vaults-judging#44 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#6 * test: adds test to check split withdraw request value * fix: sherlock-audit/2024-06-leveraged-vaults-judging#78 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#80 * fix: updating valuations for tests * fix: update run tests * fix: remove stETH withdraws from Kelp in favor of ETH withdraws * fix: update tests for pendle rs eth * fix: resolve compile issues * fix: rsETH oracle price * fix: sherlock-audit/2024-06-leveraged-vaults-judging#87 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#67 * fix: sherlock-audit/2024-06-leveraged-vaults-judging#6 * test: update tests for invalid splits * fix: sherlock fix review comments * merge: merged master into branch * fix: empty reward tokens * fix: claim rewards tests * fix: liquidation tests * fixing more tests * fix: allowing unused reward pools * test: migrating reward pools * fix: rewarder test * fix: claim rewards before withdrawing * fix: deployed vault rewarder lib on arbitrum * fix: deployed new tbtc vault * docs: adding deployment documentation * fix: update config --------- Co-authored-by: sbuljac <[email protected]>
eeyore
Medium
Premature collateralization check in the
BaseStakingVault.initiateWithdraw()function can leave accounts undercollateralizedSummary
The collateralization check is currently performed before the user action that impacts the account's collateralization.
Vulnerability Detail
The
initiateWithdraw()function can affect the solvency of the account. During this process, tokens may be unwrapped and new tokens pushed into the withdrawal queue, altering the underlying tokens for which collateralization was initially checked. This can result in a different collateralization level than initially assessed.Additionally, this contradicts how Notional core contracts perform such checks, where they are always conducted as the final step in any user interaction.
Impact
The account may become undercollateralized or insolvent following the user action.
Code Snippet
https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/BaseStakingVault.sol#L250-L255
Tool used
Manual Review
Recommendation
Perform the account collateralization check after the
_initiateWithdraw()function call:function initiateWithdraw() external { + _initiateWithdraw({account: msg.sender, isForced: false}); (VaultAccountHealthFactors memory health, /* */, /* */) = NOTIONAL.getVaultAccountHealthFactors( msg.sender, address(this) ); VaultConfig memory config = NOTIONAL.getVaultConfig(address(this)); // Require that the account is collateralized require(config.minCollateralRatio <= health.collateralRatio, "Insufficient Collateral"); - _initiateWithdraw({account: msg.sender, isForced: false}); } }The text was updated successfully, but these errors were encountered: