'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
OpenEden Disclosed Report
Audit report OpenEden USDO Express Smart Contract Audit ContestLiquidity Accounting Vulnerability: Any User Quota Deletion Leads to Incorrect Liquidity Distribution
Target
https://github.com/OpenEdenHQ/openeden.usdoexpress.audit/tree/f3f31d2ac15e3253cba342229f9d05495f95d6fd
Vulnerability Details
Contract: LiquidityController.sol
Location: https://github.com/OpenEdenHQ/openeden.usdoexpress.audit/blob/main/contracts/extensions/redemption/LiquidityController.sol#L109-L111
Severity: CRITICAL
Type: Phantom Liquidity Creation / Over-consumption
Vulnerability Description
Any removal of a user's quota (setting userQuota to 0) creates phantom liquidity by incorrectly decrementing the totalUsed counter. This breaks the fundamental accounting invariant and allows the system to allocate more liquidity than physically available.
Root Cause
When removing a user's quota via setUserQuota(user, 0), the contract incorrectly decrements totalUsed by the user's usedQuota amount:
// LiquidityController.sol, lines 106-113
} else {
// Removing quota - also clear used quota
authorizedUsers[user] = false;
if (usedQuota > 0) {
totalUsed = totalUsed - usedQuota; // ❌ BUG HERE
usedQuotas[user] = 0;
}
}
The Problem: The code assumes that used liquidity "returns" to the pool when a quota is removed. However, this liquidity was already physically spent through UsycRedemption contract and does NOT return to the pool.
Impact
- Phantom Liquidity Creation: Any quota deletion creates "fake" available liquidity that doesn't physically exist
- Over-consumption: Allows spending 20-100%+ beyond the
totalLiquiditylimit - Incorrect Liquidity Distribution: System allocates more quotas than physically available
- Silent Accumulation: Phantom liquidity accumulates during normal operations
Accumulation Effect
Day 1: 1 user removed → 50 USYC phantom liquidity
Day 2: 2 users removed → 100 USYC phantom liquidity
Day 3: 3 users removed → 150 USYC phantom liquidity
...
Month: 30 users removed → 1,500 USYC phantom liquidity 💸
Recommended Fixes
Fix 1: Do Not Automatically Decrement totalUsed (Recommended)
Current problematic code:
} else {
// Removing quota - also clear used quota
authorizedUsers[user] = false;
if (usedQuota > 0) {
totalUsed = totalUsed - usedQuota; // ❌ REMOVE THIS LINE
usedQuotas[user] = 0;
}
}
Fixed code:
} else {
// Removing quota - DON'T automatically restore used quota
authorizedUsers[user] = false;
// Keep usedQuota in totalUsed - it was really consumed!
// Owner must manually call restoreLiquidity() if appropriate
usedQuotas[user] = 0; // Clear user's record only
}
Key principle: totalUsed should always reflect really spent liquidity, not just sum of current usedQuotas of active users.
Validation steps
Partial Quota Usage - The Most Common Case
Description: User consumes only part of their quota before removal. This is the most realistic scenario as users rarely use 100% of allocated quotas.
Test: test_CRITICAL_PartialUsage_StillVulnerable()
File: LiquidityControllerAccountingBug.t.sol
Simple Example, I also showed the whole path in the diagram below.
Setup:
totalLiquidity = 1,000 USYC
Alice quota = 100, Bob quota = 60
totalAllocated = 160, totalUsed = 0
Step 1: Alice uses 50 USYC (partial)
reserveLiquidity(Alice, 50)
totalUsed = 50
Physical: 50 USYC GONE (converted to USDC)
Step 2: Admin removes Alice (BUG)
setUserQuota(Alice, 0)
Code: totalUsed = 50 - 50 = 0 ❌
Contract thinks: 50 USYC "returned"
Reality: 50 USYC still GONE
Step 3: Admin adds Carol
setUserQuota(Carol, 940)
Check: 60 + 940 ≤ 1,000 ✅ PASSES
totalAllocated = 1,000
Step 4: PROBLEM
Carol needs: 940 USYC
Available: 890 USYC (1K - 50 Alice - 60 Bob)
SHORTAGE: 50 USYC ❌
Result:
Admin can add to Carol: 940 ❌ WRONG
Admin only can add: 890 ✅ CORRECT
But checks passed ❌
BUG: totalUsed incorrectly decremented on deletion
RESULT: 50 USYC phantom liquidity created
Why This Is Legitimate Admin Behavior
This scenario involves zero admin mistakes. Every action is standard operational procedure:
- Setting Quotas - Standard portfolio management
- Partial Usage - Users rarely use 100% of quota (normal)
- Removing User - Alice leaves program early (legitimate)
- Reallocating to New User - Admin wants to use "available" quota
Admin is doing exactly what the system appears to allow and what makes business sense, but the system silently creates phantom liquidity during this normal flow.
Test Implementation
File: test/LiquidityControllerAccountingBug.t.sol
Test Function: test_CRITICAL_PartialUsage_StillVulnerable()
Run Test:
forge test --match-test test_CRITICAL_PartialUsage_StillVulnerable -vv
Expected Output:
[PASS] test_CRITICAL_PartialUsage_StillVulnerable()
Contract thinks: totalUsed = 1,000 USYC ✅
Reality: 1,050 USYC consumed ❌
EXCESS: 50 USYC (5%)
Summary
This vulnerability demonstrates how any user quota deletion creates phantom liquidity by incorrectly decrementing the totalUsed counter. The simple example above shows:
- 5% over-consumption with just partial usage (1,050 vs 1,000 limit)
- Legitimate admin operations trigger the bug
- Silent accumulation during normal business flow
- No error messages - system appears to work correctly
The bug is inevitable in any system with user quota management and rotation, making it a critical design flaw rather than an edge case.
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (4) 
