Inconsistent economic scenarios due to `mintFromWhitelistedContract` and `burnFromWhitelistedContract` functions

[akshaysrivastav]

The mintFromWhitelistedContract and burnFromWhitelistedContract functions of DebtToken contract breaks the economics of the Gravita protocol.

Affected smart contract

• DebtToken https://github.com/Gravita-Protocol/Gravita-SmartContracts/blob/6f41018b0832ce6e1465fad5c0f8170f47febb3b/contracts/DebtToken.sol#L65-L73

Description

Gravita is a borrowing protocol which enables users to mint GRAI tokens against their collateral tokens. Gravita follows the economic model of Liquity.

It is a crucial invariant of the protocol that the total debt in protocol should always be less than total collateral assets in the protocol. The total supply of GRAI token is essentially the total debt of Gravita protocol.

The presence of mintFromWhitelistedContract function breaks this invariant. A whitelisted address can mint any number of uncollateralized GRAI tokens to itself. This means the total supply of GRAI can exceed the total amount of collateral in the protocol.

As GRAI is a fungible token it is impossible to differentiate between collateralized GRAI and uncollateralized GRAI. This creates several issues if these uncollateralized GRAI tokens enter the public markets. This can happen if GRAI are distributed as rewards, or simply sold in public markets. These uncollateralized GRAI tokens can then re-enter the Gravita protocol and can be used to:

• repay debt
• redeem collateral
• liquidate vessels
• deposited into stability pool

All these scenarios are completely unintensional and break the invariant and working of Gravita protocol.

Similarly the burnFromWhitelistedContract function can be used to burn collateralized GRAI which will permanently lock the collateral behind those GRAI tokens.

Moreover the mintFromWhitelistedContract and burnFromWhitelistedContract functions are never internally used in the Gravita protocol. So the usage of these functions is unknown.

Attack scenario

Consider these scenarios:

• Gravita has $1000 worth of collateral and has minted $500 worth of GRAI.
• Using the mintFromWhitelistedContract 600 GRAI tokens get minted.
• The protocol now has $1000 worth of collateral and has minted $1100 worth of GRAI.
• Those 600 GRAI (if enters public market) can be used to repay the debt or redeem collateral, leaving the protocol economics in an inconsistent state.

Another example:

• Gravita has $1000 worth of collateral and has minted $500 worth of GRAI.
• A whitelisted address gets hold of some collateralized GRAI.
• Using the burnFromWhitelistedContract 500 GRAI tokens get burned.
• The protocol now has $1000 worth of collateral and has minted $0 worth of GRAI.
• The collateral is now in locked state.

Recommendation

Consider removing the mintFromWhitelistedContract and burnFromWhitelistedContract functions. Or implement mechanisms to differentiate collateralized and uncollateralized GRAI tokens and make sure all the above mentioned scenarios cannot happen.

[0xfornax]

We appreciate the submission. This design will be used to allow future features like whitelisting a contract that would mint new GRAI tokens and submit to supported L2s in a way that minting only happens on mainnet.