Skip to content
This repository has been archived by the owner on Jan 7, 2024. It is now read-only.

MohammedRizwan - Assets sent from MarginAccount to InsuranceFund will be locked forever #142

Closed
sherlock-admin opened this issue Jul 3, 2023 · 0 comments
Closed

MohammedRizwan - Assets sent from MarginAccount to InsuranceFund will be locked forever #142

sherlock-admin opened this issue Jul 3, 2023 · 0 comments
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

MohammedRizwan

medium

Assets sent from MarginAccount to InsuranceFund will be locked forever

Summary

Assets sent from MarginAccount to InsuranceFund will be locked forever

Vulnerability Detail

In MarginAccount.sol,

382    function settleBadDebt(address trader) external whenNotPaused {
383        (uint256 notionalPosition,) = clearingHouse.getTotalNotionalPositionAndUnrealizedPnl(trader, 0, IClearingHouse.Mode.Min_Allowable_Margin); // last two arguments are irrelevent as we are checking only for zero/non-zero notional position in next step
384        require(notionalPosition == 0, "Liquidate positions before settling bad debt");

        // some code

403        for (uint i = 1 /* skip vusd */; i < assets.length; i++) {
404            int amount = margin[i][trader];
405            if (amount > 0) {
406                margin[i][trader] = 0;
407                assets[i].token.safeTransfer(address(insuranceFund), amount.toUint256());
408                seized[i] = amount.toUint256();
409                insuranceFund.startAuction(address(assets[i].token));
410            }

At L-407, the token is transferred to insuranceFund address. The collateral assets will be seized and transferred to the insuranceFund contract. However, there is no way for the liquidity providers of the insuranceFund to get back the collateral assets.

In the current implementation, these collateral assets seized during settleBadDebt() will be frozen in the contract, in essence. They belong to the liquidity providers and they should be able to retrieve them.

But the insurance fund doesn't have a way to transfer non-vusd out of the contract. Assets transferred to the InsuranceFund will be locked forever.

Impact

Assets sent from MarginAccount to InsuranceFund will be locked forever

Code Snippet

https://github.com/hubble-exchange/hubble-protocol/blob/d89714101dd3494b132a3e3f9fed9aca4e19aef6/contracts/MarginAccount.sol#L407

Reference

This similar issue is reported in V1 hubble contracts audit and it seems the mitigation is not incorporated in contracts. Please refer below link for reference-
code-423n4/2022-02-hubble-findings#128
code-423n4/2022-02-hubble-findings#101

Tool used

Manual Review

Recommendation

Have a way for governance to sweep tokens to swap them.
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jul 10, 2023
@sherlock-admin sherlock-admin added the Non-Reward This issue will not receive a payout label Jul 19, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin