Closed c4-bot-3 closed 5 months ago
0xSorryNotSorry marked the issue as sufficient quality report
0xSorryNotSorry marked the issue as duplicate of #878
Trumpero changed the severity to QA (Quality Assurance)
Trumpero marked the issue as grade-b
This previously downgraded issue has been upgraded by Trumpero
Trumpero changed the severity to QA (Quality Assurance)
Trumpero removed the grade
Trumpero marked the issue as grade-b
I consider this issue as a dup of https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/868 since it shares the same idea about the problem, where capping debtCeiling with creditMinterBuffer causes the debtCeiling to be lower than it should.
For transparency, the judge has requested for the labels on this submission to be updated.
Trumpero marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/tokens/GuildToken.sol#L226-L230
Vulnerability details
Impact
The
LendingTerm.debtCeiling()
function, only called fromGuildToken._decrementGaugeWeight()
, which is itself internally called when unstaking/decreasing gauge weight, contains a mistake in calculation that will prevent users from unstaking from any term if thecreditMinterBuffer
is low. This is because it will always return thecreditMinterBuffer
if it is lower than the_hardCap
or_debtCeiling
. The only exception is the case where_issuance >= debtCeilingBefore
, in which casedebtCeilingBefore
will be returned, which will then fail therequire(issuance <= debtCeilingAfterDecrement)
statement in_decrementGaugeWeight()
unless in case of strict equality.https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L290-L291 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L302-L303 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L309-L311 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L316-L317 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L323-L330 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/tokens/GuildToken.sol#L226-L230
It seems that this function was written with another purpose in mind (to limit minting) and then repurposed to fulfil another purpose (to determine how much can be unstaked).
This could lead to a situation where, under heavy protocol usage or simply after a large mint, users are unable to unstake or decrease their gauge weight, regardless of the issuance on the term they're supporting.
Proof of Concept
Consider the following scenario:
creditMinterBuffer
.GuildToken._decrementGaugeWeight()
function is called, which internally calls thedebtCeiling()
function.debtCeiling()
function returns thecreditMinterBuffer
as it is lower than the_hardCap
or_debtCeiling
.creditMinterBuffer
is lower than the term's issuance.Additionally, note that this also opens up a DoS vector (albeit probably beneficial to the protocol) exploitable by continually minting CREDIT and depleting the minting buffer, which will prevent anybody from unstaking or reducing their weight.
Tools Used
Manual review
Recommended Mitigation Steps
The
debtCeiling()
function needs to be re-architected to ensure it only prevents unstaking based on a term's issuance.Assessed type
Other