search

code-423n4 / 2023-05-particle-findings

0 stars 0 forks source link

`addCredit()` impacts the price curve of loan auctions #10

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-particle/blob/1caf678bc20c24c96fc8f6b0046383ff0e9d2a6f/contracts/protocol/ParticleExchange.sol#L518

Vulnerability details

Impact

The price curve of a loan auction is supposed to depend only on block.timestamp, meaning that the price increases as time goes on. However, the addCredit() function allows anyone to change or increase the value of lien.credit. If lien.credit is increased, the price of the auction will also increase. An attacker may abuse this to manipulate the price curve of the auction, such as by increasing the price of the NFT that the contract will pay.

Proof of Concept

The value of currentAuctionPrice should only depend on block.timestamp. However, it uses lien.credit, which can be easily changed by the addCredit() function.

uint256 maxSpendable = lien.credit + lien.price - payableInterest;

/// @dev auctionLive(lien) always implies block.timestamp - lien.auctionStartTime <= _AUCTION_DURATION
uint256 currentAuctionPrice = MathUtils.calculateCurrentAuctionPrice(
    maxSpendable,
    block.timestamp - lien.auctionStartTime,
    _AUCTION_DURATION
);

Tools Used

Manual Review

Recommended Mitigation Steps

Consider disabling addCredit() for loans with a live auction.

Assessed type

Other

hansfriese commented 1 year ago

Impact analysis is not enough to explain how the increase in auction prices will affect the actors.

c4-judge commented 1 year ago

hansfriese marked the issue as unsatisfactory: Insufficient quality

wukong-particle commented 1 year ago

Agreed with the judge, this doesn't deviate from the design and it doesn't hurt the lender, the auction buyer and not benefiting any rational borrower.

c4-sponsor commented 1 year ago

wukong-particle marked the issue as sponsor disputed