Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Multisafe USPC Contracts>Critical findings>iUSPC Tokens are not burned during instant vault redemptions
GeneralOverview
Findings
Critical (1)iUSPC Tokens are not burned during instant vault redemptions
Medium (3)
Low (2)
Threat ModelWhat are threat models?IUSPCHub.solUSPC.sol
Audit ResultsAssessment Results
Category: Coding Mistakes

iUSPC Tokens are not burned during instant vault redemptions

Critical Impact
Critical Severity
High Likelihood

Description

The vaultRedemption function in IUSPCHub allows whitelisted vaults to instantly redeem iUSPC for collateral. The function correctly transfers iUSPC from the vault to the Hub and transfers the corresponding USDC out. However, it fails to burn the iUSPC tokens received by the Hub. This contrasts with the standard processRedemptions function, which correctly burns the accumulated tokens.

Impact

This is a critical accounting error that breaks the fundamental backing of the system. When a vault redeems, collateral is paid out, but the liability remains in circulation, trapped within the IUSPCHub. The total supply of iUSPC becomes inflated relative to the assets under management, making the system fractionally reserved.

function testVaultRedemptionDoesNotBurnTokens() public {
    vm.startPrank(admin);
    hub.addVaultToWhitelist(vault);
    vm.stopPrank();

    // Setup vault with iUSPC
    usdc.mint(vault, USDC_AMOUNT);
    vm.startPrank(vault);
    usdc.approve(address(hub), USDC_AMOUNT);
    hub.vaultSubscription(USDC_AMOUNT);
    
    uint256 iuspcBalance = iuspc.balanceOf(vault);
    vm.stopPrank();

    uint256 totalSupplyBefore = iuspc.totalSupply();
    uint256 hubBalanceBefore = iuspc.balanceOf(address(hub));
    console2.log("hubBalanceBefore: ",hubBalanceBefore);
    
    // Vault redemption
    vm.startPrank(vault);
    iuspc.approve(address(hub), iuspcBalance);
    hub.vaultRedemption(iuspcBalance);
    vm.stopPrank();

    uint256 totalSupplyAfter = iuspc.totalSupply();
    uint256 hubBalanceAfter = iuspc.balanceOf(address(hub));

    // Verify iUSPC was transferred to hub but NOT burned
    assertEq(hubBalanceAfter, hubBalanceBefore + iuspcBalance, "iUSPC should be in hub");
    assertEq(totalSupplyAfter, totalSupplyBefore, "Total supply should NOT decrease (BUG: tokens not burned)");
    console2.log("hubBalanceAfter: ",hubBalanceAfter);
}

Recommendations

We recommend to modify the vaultRedemption function to burn the iUSPC tokens immediately.

Remediation

This issue has been acknowledged by Coinshift, and a fix was implemented in commit d14d8915.

Zellic © 2025Back to top ↑