KingNFT - Fund might be locked due to improper implemention of triggerEndEpoch() function

[sherlock-admin]

KingNFT

medium

Fund might be locked due to improper implemention of triggerEndEpoch() function

Summary

The triggerEndEpoch() function is missing to check if collateralVault.totalAssets(_epochId) == 0, calling triggerEndEpoch() in this scenario will lock premiumTVLAfterFee into the collateral vault.

Vulnerability Detail

Let's say the keeper is offline temporary and an epoch with = 0 collateral but > 0 premium is not nulled in due time, and now block.timestamp > epochEnd.
If an attacker or user calls triggerEndEpoch() instead of triggerNullEpoch() in this scenario, premiumTVLAfterFee will be transferred to the collateral vault. But as collateralVault.totalAssets(_epochId) == 0, these funds can be claimed by no one, locked in the collateral vault for ever.

File: src\v2\Controllers\ControllerPeggedAssetV2.sol
144:     function triggerEndEpoch(uint256 _marketId, uint256 _epochId) public {
145:         address[2] memory vaults = vaultFactory.getVaults(_marketId);
146: 
147:         if (vaults[0] == address(0) || vaults[1] == address(0))
148:             revert MarketDoesNotExist(_marketId);
149: 
150:         IVaultV2 premiumVault = IVaultV2(vaults[0]);
151:         IVaultV2 collateralVault = IVaultV2(vaults[1]);
152: 
153:         if (
154:             premiumVault.epochExists(_epochId) == false ||
155:             collateralVault.epochExists(_epochId) == false
156:         ) revert EpochNotExist();
157: 
158:         (, uint40 epochEnd, ) = premiumVault.getEpochConfig(_epochId);
159: 
160:         if (block.timestamp <= uint256(epochEnd)) revert EpochNotExpired();
161: 
162:         //require this function cannot be called twice in the same epoch for the same vault
163:         if (premiumVault.epochResolved(_epochId)) revert EpochFinishedAlready();
164:         if (collateralVault.epochResolved(_epochId))
165:             revert EpochFinishedAlready();
166: 
167:         premiumVault.resolveEpoch(_epochId);
168:         collateralVault.resolveEpoch(_epochId);
169: 
170:         uint256 epochFee = vaultFactory.getEpochFee(_epochId);
171: 
172:         uint256 premiumTVL = premiumVault.finalTVL(_epochId);
173:         uint256 collateralTVL = collateralVault.finalTVL(_epochId);
174: 
175:         uint256 premiumFee = calculateWithdrawalFeeValue(premiumTVL, epochFee);
176: 
177:         uint256 premiumTVLAfterFee = premiumTVL - premiumFee;
178:         uint256 collateralTVLAfterFee = collateralTVL + premiumTVLAfterFee;
179: 
180:         // strike price is not reached so premium is entiled to 0
181:         premiumVault.setClaimTVL(_epochId, 0);
182:         // strike price is not reached so collateral is entitled to collateralTVL + premiumTVLAfterFee
183:         collateralVault.setClaimTVL(_epochId, collateralTVLAfterFee);
184: 
185:         // send premium fees to treasury and remaining TVL to collateral vault
186:         premiumVault.sendTokens(_epochId, premiumFee, treasury);
187:         // strike price reached so collateral is entitled to collateralTVLAfterFee
188:         premiumVault.sendTokens(
189:             _epochId,
190:             premiumTVLAfterFee,
191:             address(collateralVault)
192:         );
193: 
194:         emit EpochResolved(
195:             _epochId,
196:             _marketId,
197:             VaultTVL(collateralTVLAfterFee, collateralTVL, 0, premiumTVL),
198:             false,
199:             block.timestamp,
200:             0
201:         );
202:     }

Impact

premiumTVLAfterFee might me locked into the collateral vault.

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L144

Tool used

Manual Review

Recommendation

Don't allow triggerEndEpoch() while collateralVault.totalAssets(_epochId) == 0

Duplicate of #108