search

code-423n4 / 2023-10-ethena-findings

5 stars 5 forks source link

There is no check for collateral token in mint matches same in withdraw #699

Closed c4-submissions closed 11 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/EthenaMinting.sol#L162 https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/EthenaMinting.sol#L194

Vulnerability details

Impact

While we understand that usde is the base token here, we see that on minting used token you would need to transfer some tokens to the contract and get some used minted to you and on redemption get usde burnt to get a token sent back to you. The implication of this comes from the volatility of tokens, where a volatile token TokenA at an high is deposited and redeemed with another token TokenB which is temporarily trending down to gain more value of TokenB with expectation to reverse trends. This would lead to a loss to Ethena as Perps Short vs Spot Long across tokens allows for loss of value due to volatility.

Proof of Concept

If a user (mostly mev bot would be capable of this) deposits 10 tokens of BTC at value 30000 for each, to total 300000 value of usde used and then redeems with eth at current value of 2000, you would expect to get 150 eth after 300000 usde is burned but in a scenario where btc is trending up and eth is is in reverse trend, the exchange rate of btc/eth (1:x ratio) could be volatile and cause impermanent loss for user or Ethena depending on the trend. Redeeming like 100k of usde might not trigger a redemption of btc due to some tokens in the contract and the user could redeem 50 eth and then a long eth perp and short eth spot is opened, the rate of trend is not same and value difference would be different and 50 eth might not be worth 90k , vs 3.33 btc worth 100k instead of 110k to balance and eth perps long could suffer more loss than the reverse position.

Tools Used

Manual Review

Recommended Mitigation Steps

Force collateral token used in depositing to match collateral token in withdrawing on the contract (zero trust on caller). this would ensure an exchange rate of 1:1 ratio and force withdrawal to open an exact opposite position as deposit, so that for the perp short opened on 10 btc for 300000, perp long opened for 3.33 btc for 100000 and very little difference is felt as the rate of change of values are the same.

Assessed type

ERC20

c4-pre-sort commented 11 months ago

raymondfam marked the issue as low quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #145

c4-judge commented 11 months ago

fatherGoose1 marked the issue as unsatisfactory: Invalid