search

code-423n4 / 2023-12-ethereumcreditguild-findings

17 stars 11 forks source link

First minter of a gauge can mint more tokens than designed #1179

Closed c4-bot-9 closed 8 months ago

c4-bot-9 commented 9 months ago

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/LendingTerm.sol#L298-L304

Vulnerability details

Impact

The first minter of a term can mint a lot of credit tokens, because the code gives them special privilege and does not check the relative weights in the gauges. This is shown in the following snippet:

function debtCeiling(
    int256 gaugeWeightDelta
) public view returns (uint256) {
    //...
    if (totalBorrowedCredit == 0 && gaugeWeight != 0) {
        // first-ever CREDIT mint on a non-zero gauge weight term
        // does not check the relative debt ceilings
        // returns min(hardCap, creditMinterBuffer)
        return
            _hardCap < creditMinterBuffer ? _hardCap : creditMinterBuffer;
    }

So a malicious user can call the term contract immediately after deployment and mint upto the _hardcap of tokens, preventing ay others from minting any tokens.

Proof of Concept

The proof is evident from the code linked above.

Tools Used

Manual Review

Recommended Mitigation Steps

For initial borrows, have a special FIRST_MINT variable with a lower value than the _hardcap and use that instead of the _hardcap in the above code.

Assessed type

Invalid Validation

c4-pre-sort commented 9 months ago

0xSorryNotSorry marked the issue as sufficient quality report

c4-pre-sort commented 9 months ago

0xSorryNotSorry marked the issue as primary issue

0xSorryNotSorry commented 9 months ago

My take is; this is a feature as the borrower will leave collateral tokens anyway. Moreover, a new term can be created by modifying the existing one by even 1 wei of hardcap.

Forwarding to the Sponsors for their perusal.

eswak commented 8 months ago

only the first borrow on the first term in the market has this special privilege (not directly after deployment, but after onboarding & at least 1 gauge vote), and it is totally fine if only one borrower fills up the hardCap, so I wouldn't consider this an issue

c4-sponsor commented 8 months ago

eswak (sponsor) disputed

c4-judge commented 8 months ago

Trumpero marked the issue as unsatisfactory: Invalid