search

code-423n4 / 2023-12-ethereumcreditguild-findings

9 stars 5 forks source link

A special attack idea #1199

Closed c4-bot-5 closed 5 months ago

c4-bot-5 commented 6 months ago

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/AuctionHouse.sol#L166-L196

Vulnerability details

I have a relatively unique attack idea. Taking the USDC market created in the GIP_0 contract as an example, in the first launched term, the hardCap of gUSDC is 2 million:

address termSDAI1 = termOnboarding.createTerm(
    _lendingTermV1,
    LendingTerm.LendingTermParams({
        collateralToken: AddressLib.get("ERC20_SDAI"),
        maxDebtPerCollateralToken: 1e18, // 1 CREDIT per SDAI collateral + no decimals correction
        interestRate: SDAI_RATE, // 4%
        maxDelayBetweenPartialRepay: 0, // no periodic partial repay needed
        minPartialRepayPercent: 0, // no minimum size for partial repay
        openingFee: 0, // 0%
        hardCap: CREDIT_HARDCAP // max 2m CREDIT issued
    })
);

  1. Assume that a malicious team uses approximately $2 million in real costs as collateral (ERC20_SDAI) and uses multiple witch accounts to mint all 2 million gUSDC.

  2. In the PSM contract, assume that other users provide 1 million USDC as peg tokens.

  3. A malicious team calls the redeem function in the PSM contract, burns one million gUSDC, and gets one million USDC.

  4. The malicious team still has 1 million gUSDC left, and they deliberately turn all their gUSDC into bad debts. At this time, their ERC20_SDAI collateral will be auctioned off.

  5. Since malicious teams hold the most gUSDC, they are in the most advantageous position during the auction process and can buy back all ERC20_SDAI collateral at a low price in the form of an auction.

  6. So far, the malicious team has earned a total of 1 million USDC!

Additional Context:

Auction mechanism: at first, offer 0% collateral, ask 100% debt. Then, over time, offer a larger % of the collateral and still 100% debt. At 'midpoint', 100% collateral is offered asking for 100% debt, and if nobody has bid, bad debt will be realized. In the second phase, 100% collateral is offered and less and less debt is asked. When we reach the end of the auction (100% collateral offered, 0% debt asked), nobody can bid in the auction anymore, and the loans can be automatically forgiven (marking it as a 100% loss). The first to bid wins the auction, making it a race to arbitrage (onchain MEV or otherwise).

Assessed type

Other

0xSorryNotSorry commented 6 months ago

The submission does not provide any demonstration of the issue, reasoning and code blocks.

c4-pre-sort commented 6 months ago

0xSorryNotSorry marked the issue as insufficient quality report

c4-judge commented 5 months ago

Trumpero marked the issue as unsatisfactory: Insufficient quality