Closed c4-submissions closed 9 months ago
bytes032 marked the issue as sufficient quality report
All math is in shares, this looks invalid
GalloDaSballo (sponsor) disputed
agree with sponsor, I believe this report has confused the distinction between "balance" and "scaledBalance", I suggest providing a complete poc for verification.
jhsagd76 marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2023-10-badger/blob/main/packages/contracts/contracts/CollSurplusPool.sol#L80-L81 https://github.com/code-423n4/2023-10-badger/blob/main/packages/contracts/contracts/CollSurplusPool.sol#L91 https://github.com/code-423n4/2023-10-badger/blob/main/packages/contracts/contracts/CollSurplusPool.sol#L107
Vulnerability details
Description
When a redemption, the CdpManager#
_closeCdpByRedemption()
would be called via the CdpManager#_redeemCollateralFromCdp()
like this: https://github.com/code-423n4/2023-10-badger/blob/main/packages/contracts/contracts/CdpManager.sol#L171-L177Within the CdpManager#
_closeCdpByRedemption()
, the CollSurplusPool#increaseSurplusCollShares()
would be called like this: https://github.com/code-423n4/2023-10-badger/blob/main/packages/contracts/contracts/CdpManager.sol#L256-L257Within the CollSurplusPool#
increaseSurplusCollShares()
,balances[_account] + _amount
of surplus collateral (stETH) would be stored as thenewAmount
into thebalances[_account]
like this: https://github.com/code-423n4/2023-10-badger/blob/main/packages/contracts/contracts/CollSurplusPool.sol#L80-L81After that, when a borrower claim their surplus collateral (stETH), the CollSurplusPool#
claimSurplusCollShares()
would be called via the BorrowerOperations#claimSurplusCollShares()
like this: https://github.com/code-423n4/2023-10-badger/blob/main/packages/contracts/contracts/BorrowerOperations.sol#L601Within the CollSurplusPool#
claimSurplusCollShares()
, thebalances[_account]
would be stored into theclaimableColl
. Then, the amount (claimableColl
) of collateral (stETH) would be transferred to the given_account
like this: https://github.com/code-423n4/2023-10-badger/blob/main/packages/contracts/contracts/CollSurplusPool.sol#L91 https://github.com/code-423n4/2023-10-badger/blob/main/packages/contracts/contracts/CollSurplusPool.sol#L107According to the past report by OpenZeppelin, there is a case that a rebase of Lido (stETH) would be a negative direction due to slashing event like this:
Based on that, it is supposed to reflect a negative rebase of Lido (stETH) to the claimable surplus collateral (
balance[_account]
) and cover the loss due to it in the CollSurplusPool if the negative rebase of Lido would occur.However, within the CollSurplusPool#
claimSurplusCollShares()
, there is no logic to reflect a negative rebase of Lido to the claimable collateral (balance[_account]
) and cover the loss due to it if the negative rebase of Lido would occur.This is problematic. Because the CollSurplusPool would transfer the exact same amount (
balance[_account]
) of collateral (stETH) as before a negative rebase.Impact
The CollSurplusPool will have additional losses in that case. Because, despite a negative rebase would decreases the cost of stETH share and therefore the surplus collateral (stETH) balance of the CollSurplusPool would be decreased, the CollSurplusPool would still attempt to transfer the exact same amount of surplus collateral (stETH) as before a negative rebase when a borrower would claim their surplus collateral. This lead to transferring more amount of surplus collateral (stETH) than the amount that should be transferred.
Proof of Concept
Here is a possible scenario:
_account
) would be recorded to thebalance[_account]
.balance[_account]
of surplus collateral (stETH), which is the exact same amount of the collateral with the amount of the surplus collateral-recorded when a redemption (Step 1/ above).Tools Used
Recommended Mitigation Steps
Within the CollSurplusPool#
claimSurplusCollShares()
, consider adding a logic that reflect a negative rebase of Lido to the claimable surplus collateral (stETH) and cover the loss due to it if a negative rebase of Lido would occur.Assessed type
Other