Closed code423n4 closed 1 year ago
I don't think this is exactly feasible but would like some more thought about it. My idea when designing this is that if the rate is above market rate, either the borrowers could burn their power tokens, which they can do at any time, or new lenders would see the mispricing and deposit liquidity, moving the price down.
For me this test doesn't account for the fact that someone new might do one of these two actions in the time period when interest is accruing.
I analogize this to UniswapV3, why haven't we seen liquidity providers collude to only provide liquidity to the 1% fee contract?
kyscott18 requested judge review
I agree with the sponsor. This finding relies on the fact that the majority of LPs have to collude and act in a similar, dishonest way. This does not warrant the High severity chosen by the warden and is overly inflated. I consider QA (Low) to be the appropriate severity given the improbability and heavy reliance on external factors.
berndartmueller changed the severity to QA (Quality Assurance)
berndartmueller marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/core/Lendgine.sol#L71-L102 https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/core/Lendgine.sol#L152-L180 https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/core/Lendgine.sol#L238-L261
Vulnerability details
Impact
How it works
Liquidity providers are supposed to provide the protocol with some funds and receive fees based on the percentage of the fund borrowed and its size. There is a
jumprate
ofkink=0.8
hard coded into the project which means when the percentage of the borrowed liquidity increases over 80%, the fees suddenly go up by each increasing percentage until 100%.The attack
By understanding the fee method of the protocol, we see that the protocol expects the liquidity providers to leave their funds in the pool and receive its fees. However, liquidity providers can possibly collude and increase the percentage of
totalLiquidityBorrowed/totalLiquidity
in two ways:totalLiquidity
totalLiquidityBorrowed
This attack would become more dangerous if the following conditions are true:
When does this attack does not work?
When there is a decent percentage of liquidity providers that are acting honest and not joining in the collude. If the 100 percent of the liquidity providers agree to join together, there is absolutely no down-side to the Liquidity providers at least in short-term. In the case of the collude, if they decide to cut down the liquidity each will take the same percentage off, And if they decide to borrow the remaining money and pay themselves, they will be doing this in proportion of their fees. Even if an honest/unknown liquidity provider joins the pool, all of the dishonest ones can easily revert back to the previous state and continue working like honest nodes.
Therefore, protocol should somehow de-incentivize this behaviour where it can highly profit the dishonest liquidity providers and can cause the borrowers to lose money much faster.
Proof of Concept
In the PoC below, you can see the victim is losing more fees on the same collateral when the liquidity providers collude.
Tools Used
Foundry
Recommended Mitigation Steps
There should be some modifications to the Jumprate contract, where it does not escalate the fees for the previously taken positions. It should be possible for the earlier loans to have some sort of advantage over the newly taken positions.