This finding chains multiple other observations to borrow for free
Because a Trove can be opened with 0 net debt, such trove won't pay a borrow fee
By opening a myriad of Troves, with a ICR < TCR we can drag the TCR down
By choosing an oracle price that is a valid negative update (for collateral, or positive update for debt denomination), we can hurt the ICR of these position slightly
When the system is in Recovery Mode, no borrowing fee is paid on opening a position, this can help borrow more stablecoin as a means to raise the ownership percentage of attacker in the Stability Pool, making the liquidations directly profitable to them
This allows to trigger Recovery Mode at will, and liquidate any victim with ICR < TCR
POC
Setup by opening a myriad of Troves at ICR < TCR
Update the price to trigger Recovery Mode
Open the "real" trove a user wanted to open
Borrow and bypass fees
Liquidate Victims
Close all other Troves that were opened for the setup
This can be fully automated with a smart contract that creates new proxies that open a Trove each
This could be used for 3 key reasons:
Trigger Recovery Mode and Liquidate other people
Borrow for free
Raise the total amount of debt in the system to reduce the net fee on redemptions
Mitigation
I believe that Oracle price being non-deterministic on each block is a key issue
Additionally the fact that no minimum borrow size is enforced, means that these 0-net-debt are effectively free to open, whereas if some fee was charged that wouldn't be the case
Alternatively, you could always enforce a borrow fee at all times, this would have the downside of making liquidations less profitable and should be further researched
Impact
This finding chains multiple other observations to borrow for free
Because a Trove can be opened with 0 net debt, such trove won't pay a borrow fee
By opening a myriad of Troves, with a ICR < TCR we can drag the TCR down
By choosing an oracle price that is a valid negative update (for collateral, or positive update for debt denomination), we can hurt the ICR of these position slightly
When the system is in Recovery Mode, no borrowing fee is paid on opening a position, this can help borrow more stablecoin as a means to raise the ownership percentage of attacker in the Stability Pool, making the liquidations directly profitable to them
This allows to trigger Recovery Mode at will, and liquidate any victim with ICR < TCR
POC
This can be fully automated with a smart contract that creates new proxies that open a Trove each
This could be used for 3 key reasons:
Mitigation
I believe that Oracle price being non-deterministic on each block is a key issue
Additionally the fact that no minimum borrow size is enforced, means that these 0-net-debt are effectively free to open, whereas if some fee was charged that wouldn't be the case
Alternatively, you could always enforce a borrow fee at all times, this would have the downside of making liquidations less profitable and should be further researched