search

code-423n4 / 2022-07-yield-findings

0 stars 0 forks source link

There is no boundaries for starting an auction. #157

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-07-yield/blob/6ab092b8c10e4dabb470918ae15c6451c861655f/contracts/Witch.sol#L189

Vulnerability details

Impact

The team has brought this contest to be fairer to their users in terms of liquidation mechanism. Looking through this perspective, it can be developed more on the process to be much fairer to the users in volatile market conditions.

Proof of Concept

The auction function checks if the given vault is in already auctioned and the total debt is in minus value also requiring it should not be in the ignored pairs list. The cauldron.level function returns the value of the collateral minus the value of the debt in a given vault, adjusted for collateralization ratio and, after maturity, borrowing rate increase.

require(cauldron.level(vaultId) < 0, "Not undercollateralized");

https://github.com/code-423n4/2022-07-yield/blob/6ab092b8c10e4dabb470918ae15c6451c861655f/contracts/Witch.sol#L189

However, volatile market conditions or an orchestrated actor may trigger this value to be subzero for a moment either with market manipulation or an oracle malfunction. Assuming this value just for a moment under zero orchestrated by an actor, this process will result in that vault being eligible to be auctioned by calling the auction function. So, a well-organized actor can do 4 things in a block to liquidate a volatile vault. Take a loan and manipulate the market/Oracle, call auction, call payBase and liquidate the vault, and return the loan.

Tools Used

Manual review

Recommended Mitigation Steps

There might be a boundary implementation of a liquidation mechanism such as implementing a percentage value of the collateral rather than opting for collateral being a subzero requirement.

alcueca commented 2 years ago

The Cauldron, which includes the collateralization formula, and the oracle layer beyond, are out of scope.

PierrickGT commented 2 years ago

As stated by the sponsor, this issue is out of scope. It is also not clear how this attack could be performed. For these reasons, I have labelled this issue as invalid.