Open c4-submissions opened 1 year ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as primary issue
raymondfam marked the issue as high quality report
pi0neerpat (sponsor) confirmed
MiloTruck marked the issue as satisfactory
MiloTruck marked the issue as selected for report
In _generateDebt()
, _collectAndExitCoins()
is called to transfer system coins equivalent to the requested amount of collateral instead of the actual amount used for debt. This will cause the function to revert should _deltaWad
be higher than the amount of collateral the user has in his safe to generate debt.
Since this is a case of the function not working as intended, I believe medium severity is appropriate.
Lines of code
https://github.com/open-dollar/od-contracts/blob/f4f0246bb26277249c1d5afe6201d4d9096e52e6/src/contracts/proxies/actions/BasicActions.sol#L94-L115 https://github.com/open-dollar/od-contracts/blob/f4f0246bb26277249c1d5afe6201d4d9096e52e6/src/contracts/proxies/actions/BasicActions.sol#L31-L47
Vulnerability details
Impact
When the user generates a debt against his collateral (when he locks a collateral first) in
BasicActions.generateDebt
:_deltaWad
._getGeneratedDeltaDebt
function: where the requested debt by the user is updated by comparing the coin balance of the SAFE (which is minted when the user generates a debt) with the requested debt; if the requested debt exceeds the coin balance of the SAFE; the requested debt value is modified by calculating the neededdeltaDebt
that would be enough to exit wad amount of COIN tokens with the current coins balance of the SAFE.SAFEEngine
):_getGeneratedDeltaDebt
function, and this is done via_exitSystemCoins
function which will in turn call the__coinJoin.exit
function:So as can be seen; the values doesn't match; as the modified
_deltaDebt
that is used to update thesafe.generatedDebt
(viaBasicActions._modifySAFECollateralization
function) might be of a value lesser/larger (depending on the rate and coins balance of the safe) than the actual minted tokens; so when the user wants to repay the SAFE debt his minted tokens might not be enough to do so.Proof of Concept
BasicActions._generateDebt function
BasicActions._getGeneratedDeltaDebt function
Tools Used
Manual Testing.
Recommended Mitigation Steps
Update
_generateDebt
function to use the same modified_deltaWad
value for generating debt and minting system tokens:Assessed type
Context