Open code423n4 opened 1 year ago
Picodes changed the severity to QA (Quality Assurance)
Picodes marked the issue as grade-b
Picodes marked the issue as grade-a
Picodes marked the issue as selected for report
Giving grade-a and best QA report for the multiple downgraded and interesting QA findings by this warden, including #76, #70, #50, #109, #127, #107, #101, #83, #78, etc
Lines of code
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/AstariaRouter.sol#L273 https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/AstariaRouter.sol#L288 https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/AstariaRouter.sol#L303 https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/AstariaRouter.sol#L311
Vulnerability details
Impact
Lack of reasonable boundary for parameter setting in fee setting and liquidation length
Proof of Concept
According to the documentation,
https://docs.astaria.xyz/docs/protocol-mechanics/liquidations
In the constructor of the AstariaRouter.sol
LInk here
but these parameter can be adjusted with no boundary restriction in the function file
admin can adjust the auction length to very short or very long, which violates the documentation.
If the admin adjust the auction length to very short, for example, 2 hours, the auction time is too short to let people purchase off the outstanding debt, and the lender has to bear the loss.
if the auction length is too long, for example, 2000 days, this basically equal to lock the NFT auction fund and the lender will not get paid either.
According to documentation
https://docs.astaria.xyz/docs/protocol-mechanics/refinance
However, In the constructor of the AstariaRouter.sol
such parameter is not enforced.
the s.minDurationIncrease is set to 5 days, not 14 days.
Link here
which impact the refinanc logic
the relevant parameter s.minInterestBPS and s.minDurationIncrease can be adjusted in the function file with no boundary setting.
The impact is that if the The loan duration increases duration is too long and the interest decreases too much, this may favor the lender too much and not fair to borrower. The payment to lender can be infinitely delayed.
If the loan duration increase duration is too short and the interest decrease is too small, the refinance become pointless.
If the admin change the protocol fee, buyout fee or the epoch length or the max interest rate with no reasonable boundary by calling Astaria#file, the impact is severe
and
the admin can charge high liqudation fee and there may not be enough fund left to pay out the outstanding debt.
the admin can charge high buyout fee, which impact the lien token buyout.
If the max interest rate is high, the interest can become unreasonable for a vault and not fair for lender to pay out the accuring debt.
if the epoch lengh is too long, the gap between withdraw is too long and the user cannot withdraw their fund on time.
Tools Used
Manual Review
Recommended Mitigation Steps
We recommend the protocol add reasonable boundary to fee setting and liqudation length setting.