c4-judge
commented
1 year ago trust1995 marked the issue as unsatisfactory: Out of scope
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago trust1995 marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/lending/tokens/cCash/CCash.sol#L137-L144
Vulnerability details
Impact
Allowing liquidation bots to arbitrage would stabilize the system. The majority of liquidations are done by liquidation bots. For liquidation bots to be viable there has to exist a secondary market where the assets can be instantly sold. This is especially important here since only KYC users can liquidate, having bots that can arbitrage would decrease the risk of bad debt and allow for lower liquidation incentives.
Proof of Concept
If there is no way to arbitrage liquidations no liquidation bots will be present to liquidate positions which could result in bad debt.
Either liquidation bots can arbitrage or the liquidation incentivizes will have to be much higher than usual since only KYC users can liquidate and since there is no way to instantaneously sell.
Tools Used
Manual Review
Recommended Mitigation Steps
One solution to the problem is to have an off-chain order book where users can buy and sell between KYCd users. Users sign a digest with the accepted price that any KYCd user can accept. Ondo would also present all offers and match users on their website. Liquidation bots can use this market to liquidate and sell the tokens in the same transaction if there is an arbitrage opportunity.
Since the minting and redemption of tokens are already centralized adding an off-chain order book and the matching engine would not add any additional centralization.
An alternative to an off-chain order book would be to use the solution I proposed in the issue "Users have no guarantee of a minimum amount received when minting and redeeming". Where users set a minimum acceptable exchange rate they are willing to accept. If anybody that is KYCd is able to serve users that wish to mint but that were priced out bots could arbitrage by selling to those users. Users can keep their "offer" as long as they wish and any other users could sell them their Cash by interacting with the CashManager and receiving the user's mint balance.