search

code-423n4 / 2022-01-sherlock-findings

0 stars 0 forks source link

ISherlockClaimManager: Outdated example on claims process #229

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

GreyArt

Vulnerability details

Impact

The escalation claims process is somewhat explained in ISherlockClaimManager, but is outdated and has confusing // + 1x final fee and // +2x final fee comments. The referenced parties for proposer and disputor (note that UMA names it disputer) can also be a source of confusion since they differ from the actual implementation.

// requestAndProposePriceFor() --> proposer = protocolAgent
// disputePriceFor() --> disputor = sherlock.strategyManager() (current active one)
// priceSettled will be the the callback that contains the main data

// user has to pay 7.5k to dispute a claim, we will execute a safeTransferFrom(user, address(this), 7.5k)
// we need to approve the contract 7.5k as it will be transferred from address(this)  // + 2x final fee
// the bond will be 5k on requestAndProposePriceFor()                                 // + 1x final fee
// the bond will be 2.5k on disputePriceFor()                                         // + 1x final fee
// on settle either strategy gets 7.5k. or the proposer get their bond back.           // + 1x final fee

...

// On price proposed callback --> call disputePriceFor with callbackdata + sherlock.strategyManager() and address(this)

Recommended Mitigation Steps

// requestAndProposePriceFor() --> proposer = sherlockCore (address to receive BOND if UMA denies claim)
// disputePriceFor() --> disputer = protocolAgent
// priceSettled will be the the callback that contains the main data

// Assume BOND = 9600, UMA's final fee = 400
// Claim initiator has to pay 20k to dispute a claim, we will execute a safeTransferFrom(claimInitiator, address(this), 20k)
// we need to approve the contract 20k as it will be transferred from address(this)
// the 20k consists of 2 * (BOND + final fee charged by UMA)
// the bond + fee will be 10k on requestAndProposePriceFor()                                
// the bond + fee will be 10k on disputePriceFor(). 
// note that half of the bond + final fee is "burnt" and sent to UMA (4800 + 400)                                        
// on settle either the protocolAgent (dispute success) or sherlockCore (dispute failure)
// will receive 9600 + 4800 + 400 = 14800. In addition, the protocolAgent will be entitled to
// the claimAmount if the dispute is successful
Evert0x commented 2 years ago

Non critical