'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
OpenEden Disclosed Report
Audit report OpenEden Smart Contract Audit ContestService Fee Claim Causes TBILL-USDC Depeg → DoS in `_deposit`
Target
https://github.com/OpenEdenHQ/openeden.vault.audit/tree/d18288e944df21729b18d430b2afec2da99b6287
Vulnerability Details
Summary
The claimServiceFee() function allows the protocol to claim unClaimedFee denominated in the underlying token (e.g., USDC). However, these underlying tokens are the exact assets backing TBILLs, and are used in tbillUsdcRate() to calculate the TBILL/USDC exchange rate. As such, claiming any portion of the underlying assets — even a tiny fee — causes the protocol to become undercollateralized.
This directly breaks the tbillUsdcRate() function, which then reverts due to this undercollateralization. Since _deposit(), updateEpoch(), processWithdrawalQueue(), redeem() etc (basically every major function) relies on tbillUsdcRate() to function, this leads to a denial of service in the entire protocol.
Root Cause
In claimServiceFee(), unClaimedFee is transferred out of the contract:
function claimServiceFee() external onlyRole(SERVICE_FEE_CLAIMER_ROLE) {
uint256 feeToClaim = unClaimedFee;
if (feeToClaim == 0) revert NoFeeToClaim();
unClaimedFee = 0;
IERC20MetadataUpgradeable(underlying).safeTransfer(msg.sender, feeToClaim);
emit ServiceFeeClaimed(msg.sender, feeToClaim);
}
This function transfers funds from the contract’s underlying token balance, which is supposed to fully back the TBILLs in existence. Removing any of it causes:
- a slight depeg, meaning the value of all TBILLs is no longer backed by 1:1 USDC.
tbillUsdcRate()to revert due to failing price sanity checks.
function tbillUsdcRate() public view returns (uint256) {
// ...
int256 answer = getTBillOracleAnswer();
if (answer < 0 || tbillUsdPrice < ONE) revert TBillInvalidPrice(answer);
// ...
}
The answer (representing TBILL's USD price) becomes < 1e8 when undercollateralized due to fee withdrawal, causing an immediate revert.
Impact
- Total loss of usability for
_deposit(): it callstbillUsdcRate()and will revert forever onceunClaimedFeeis claimed. - Prevents new users from joining the protocol.
- All minting of TBILL is disabled.
- Affects user trust and economic integrity of the protocol.
Code Flow Evidence
1. updateEpoch() computes unClaimedFee from TVL:
uint256 serviceFee = (tvl * serviceFeeRate * epochLength) / (365 days * FEE_DENOMINATOR);
unClaimedFee += serviceFee;
It is directly proportional to the tvl — but it is not deducted at this point — so totalAssets remains unchanged until claimServiceFee() is called.
2. TBILL rate becomes invalid post-claim:
function tbillUsdcRate() public view returns (uint256) {
int256 answer = getTBillOracleAnswer(); // uses backing (i.e., underlying tokens)
if (answer < 0 || tbillUsdPrice < ONE) revert TBillInvalidPrice(answer);
}
Once unClaimedFee is removed from underlying, the price drops below 1e8.
3. _deposit() becomes permanently broken:
function _deposit(...) internal override returns (uint256) {
uint256 rate = tbillUsdcRate(); // will revert
...
}
No user can deposit anymore.
🛠 Suggested Fix
Do not claim fees from the underlying token balance.
Option 1: Mint TBILLs to fee claimer instead
Instead of pulling funds from underlying, mint TBILLs equivalent to the fee amount:
function claimServiceFee() external onlyRole(SERVICE_FEE_CLAIMER_ROLE) {
uint256 feeToClaim = unClaimedFee;
if (feeToClaim == 0) revert NoFeeToClaim();
unClaimedFee = 0;
_mint(msg.sender, feeToClaim); // mint TBILLs instead
emit ServiceFeeClaimed(msg.sender, feeToClaim);
}
This preserves full backing of TBILLs by underlying assets, while still compensating the service provider.
Option 2: Accrue fees off-chain or from yield only
Only allow unClaimedFee to be claimable from yield or interest earned, not principal. That way, collateral remains intact.
Conclusion
This bug fundamentally breaks core functionality of the protocol (_deposit) and puts the entire collateralization model at risk. It stems from misunderstanding the dual role of underlying as both collateral and claimable fee source.
Severity: Critical
Impact: Denial of Service, Protocol Integrity Loss
🔍 References
claimServiceFee()updateEpoch()tbillUsdcRate()_deposit()
Validation steps
soon...
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (4) 
