Open c4-submissions opened 11 months ago
bytes032 marked the issue as insufficient quality report
bytes032 marked the issue as sufficient quality report
bytes032 marked the issue as insufficient quality report
GalloDaSballo (sponsor) disputed
We have a higher fee for this purpose, missing all the math modelling
the purpose mentioned above can be achieved by monitoring the memory pool. But at the current interest rate, steth changes the base at about 1/10,000 per time. The attacker cannot profit, so it is to qa
jhsagd76 changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-10-badger/blob/f2f2e2cf9965a1020661d179af46cb49e993cb7e/packages/contracts/contracts/PriceFeed.sol#L98 (https://github.com/code-423n4/2023-10-badger/blob/f2f2e2cf9965a1020661d179af46cb49e993cb7e/packages/contracts/contracts/BorrowerOperations.sol#L561
Vulnerability details
Impact
Chainlink use stETH oracle and stETH rebase can have delay and impact protocol accounting
Proof of Concept
the protocol has two way to value the collateral worth
which calls this line of code
to handle the rebase behavior, the amount of share is tracked instead of amount of stETH is used
so to convert the exact amount of stETH, the function
however, stETH has a rebase mechanism, all reward or loss is socalized to all stETH holder by increasing / decreasing share value
so the collateral.getPooledEthByShares is considered most up-dated valuation
and when position rebase happens, say the worth increase from 2000 USD to 2100 USD
or
when position rebase happens, say the worth increase from 2000 USD to 1900 USD
the chainlink price feed can have delays
so the use of priceFeed.fetchPrice() to determine collateral worth can use the outdated price before the rebasing
for example, in this line of code
if the positive rebase already happens and but the chainlink price is not updated yet,
the price is oudated and the code can incorrectly bypass the check
and close cdp
Tools Used
Manual Review
Recommended Mitigation Steps
i think the protocol should use oracle consistently either use priceFeed.fetchPrice() or collateral.getPooledEthByShares across the codebase
Assessed type
Invalid Validation