In the proposeOffboard function of the LendingTermOffboarding contract, there is no verification of whether the passed-in term parameter comes from the same market. A malicious actor may use the proposeOffboard function to offboard lending terms from other different markets. #1165
In the proposeOffboard function of the LendingTermOffboarding contract, there is no verification of whether the passed-in term parameter comes from the same market. A malicious actor may use the proposeOffboard function to offboard lending terms from other different markets.
Proof of Concept
The code for the proposeOffboard function is as follows:
function proposeOffboard(address term) external whenNotPaused {
require(
polls[block.number][term] == 0,
"LendingTermOffboarding: poll exists"
);
require(
block.number > lastPollBlock[term] + POLL_DURATION_BLOCKS,
"LendingTermOffboarding: poll active"
);
// Check that the term is an active gauge
require(
GuildToken(guildToken).isGauge(term),
"LendingTermOffboarding: not an active term"
);
polls[block.number][term] = 1; // voting power
lastPollBlock[term] = block.number;
emit OffboardSupport(
block.timestamp,
term,
block.number,
address(0),
1
);
}
It can be seen that the incoming term parameter is not verified to be from the same market.
Different markets have different quorum parameters. Suppose there are two LendingTermOffboarding contracts (contract A, contract B, corresponding to the ETH and Bitcoin markets). The quorum parameter of contract A is lower than that of contract B. Suppose:
The quorum of contract A is 10000, and the quorum of contract B is 50
Because the proposeOffboard function does not verify whether the term parameter comes from the same market, as long as there are 50 votes in contract B, the term in contract A can be offboarded, and the redemption function of the corresponding PSM in contract A will be temporarily suspended.
Tools Used
Manual audit
Recommended Mitigation Steps
Optimize the system logic, in the proposeOffboard function of the LendingTermOffboarding contract, verify whether the incoming term parameter comes from the same market
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/governance/LendingTermOffboarding.sol#L89-L113
Vulnerability details
Impact
In the
proposeOffboard
function of theLendingTermOffboarding
contract, there is no verification of whether the passed-in term parameter comes from the same market. A malicious actor may use theproposeOffboard
function to offboard lending terms from other different markets.Proof of Concept
The code for the proposeOffboard function is as follows:
It can be seen that the incoming term parameter is not verified to be from the same market.
Different markets have different quorum parameters. Suppose there are two LendingTermOffboarding contracts (contract A, contract B, corresponding to the ETH and Bitcoin markets). The quorum parameter of contract A is lower than that of contract B. Suppose:
Tools Used
Manual audit
Recommended Mitigation Steps
Optimize the system logic, in the proposeOffboard function of the LendingTermOffboarding contract, verify whether the incoming term parameter comes from the same market
Assessed type
Governance