No timelock when changing ratio of risky collateral

[code423n4]

Handle

kenzo

Vulnerability details

Protocol can immediately change collateral ratio, and therefore VC value. This can make troves liquidatable without due notice.

Impact

Borrowers might be liquidated without giving opportunity to update their collateral.

Proof of Concept

There is no timelock on a collateral's changeRatio. (Code ref)

This ratio is what determines an asset's VC value. (Code ref)

Liquidations are based on VC value: When liquidating in normal mode, TroveManagerLiquidations will call _getTotalsFromBatchLiquidate_NormalMode, which will calculate the trove's ICR using troveManager.getCurrentICR, which calls _getICRColls, which calculates the collateral's VC value.

So Yeti can update the ratio and make a safe user liquid. If there would be a timelock, there is guarantee that the user has some time to update his collateral, plus scripts can be created that will notify the user that his position needs to be updated, or even add collateral automatically.

Recommended Mitigation Steps

Add a timelock to changeRatio.

[kingyetifinance]

@LilYeti: It should never reduce the ratio, which was a soft check but it would be good to have this in code. Not necessarily a time lock but to confirm the ratio never decreases.

[kingyetifinance]

So should be severity 1.

[0xtruco]

Resolved, safety ratio cannot be decreased now. To do this we would have to deprecate the asset, and redeploy it with a wrapper.

[alcueca]

To be honest, I don't consider this an issue. There is no written guarantee that the protocol must give users warning of upcoming changes. If such a feature is desired, a timelock can be installed externally to this function, and externally to all privileged functions. I don't think that the sponsor should have fixed this.