Description

The function _updateNegativePrincipal is an internal function used to update principal deposits during withdrawals or transfers. The value of principalAssetDiff is first calculated using the amount of shares that are to be removed. Then principalAssetsDeposited[user] and totalPrincipalDeposited is decreased, as shown below:

function _updateNegativePrincipal(address user, uint256 shares) internal {
    uint256 principalAssetDiff =
        (shares * principalAssetsDeposited[user])
        / principalSharesDeposited[user];
    principalAssetsDeposited[user] -=
        principalAssetDiff < principalAssetsDeposited[user] ?
        principalAssetDiff : principalAssetsDeposited[user];
    totalPrincipalDeposited -=
        principalAssetDiff < principalAssetsDeposited[user] ?
        principalAssetDiff : principalAssetsDeposited[user];
    principalSharesDeposited[user] -= shares;
}

Here, the value of principalAssetsDeposited[user] and totalPrincipalDeposited are supposed to be decreased by the same amount. As the value of principalAssetsDeposited[user] is updated first, this updated value will be used to decrease the value of totalPrincipalDeposited, as opposed to the old value. This would lead to principalAssetsDeposited[user] and totalPrincipalDeposited decreased by different amounts.

Impact

The variable totalPrincipalDeposited is used to keep track of total deposited principal and total earnings, which would be incorrect in this case.

Recommendations

The value to be decreased could be stored in a different local variable, and then this value could be used decrease from both the variables.

Remediation

This issue has been acknowledged by Avantis Labs, Inc., and a fix was implemented in commit 8cf936e9↗. The Tranche asset tracking feature was removed and moved to off-chain logic.