c4-pre-sort
commented
5 months ago 0xSorryNotSorry marked the issue as sufficient quality report
Closed c4-bot-3 closed 5 months ago
c4-pre-sort
commented
5 months ago 0xSorryNotSorry marked the issue as sufficient quality report
c4-pre-sort
commented
5 months ago 0xSorryNotSorry marked the issue as duplicate of #878
c4-judge
commented
5 months ago Trumpero changed the severity to QA (Quality Assurance)
c4-judge
commented
5 months ago Trumpero marked the issue as grade-b
c4-judge
commented
5 months ago This previously downgraded issue has been upgraded by Trumpero
c4-judge
commented
5 months ago Trumpero changed the severity to QA (Quality Assurance)
c4-judge
commented
5 months ago Trumpero removed the grade
c4-judge
commented
5 months ago Trumpero marked the issue as grade-b
Trumpero
commented
4 months ago I consider this issue as a dup of https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/868 since it shares the same idea about the problem, where capping debtCeiling with creditMinterBuffer causes the debtCeiling to be lower than it should.
thebrittfactor
commented
4 months ago For transparency, the judge has requested for the labels on this submission to be updated.
c4-judge
commented
4 months ago Trumpero marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/tokens/GuildToken.sol#L226-L230
Vulnerability details
Impact
The
LendingTerm.debtCeiling()function, only called fromGuildToken._decrementGaugeWeight(), which is itself internally called when unstaking/decreasing gauge weight, contains a mistake in calculation that will prevent users from unstaking from any term if thecreditMinterBufferis low. This is because it will always return thecreditMinterBufferif it is lower than the_hardCapor_debtCeiling. The only exception is the case where_issuance >= debtCeilingBefore, in which casedebtCeilingBeforewill be returned, which will then fail therequire(issuance <= debtCeilingAfterDecrement)statement in_decrementGaugeWeight()unless in case of strict equality.https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L290-L291 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L302-L303 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L309-L311 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L316-L317 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L323-L330 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/tokens/GuildToken.sol#L226-L230
It seems that this function was written with another purpose in mind (to limit minting) and then repurposed to fulfil another purpose (to determine how much can be unstaked).
This could lead to a situation where, under heavy protocol usage or simply after a large mint, users are unable to unstake or decrease their gauge weight, regardless of the issuance on the term they're supporting.
Proof of Concept
Consider the following scenario:
creditMinterBuffer.GuildToken._decrementGaugeWeight()function is called, which internally calls thedebtCeiling()function.debtCeiling()function returns thecreditMinterBufferas it is lower than the_hardCapor_debtCeiling.creditMinterBufferis lower than the term's issuance.Additionally, note that this also opens up a DoS vector (albeit probably beneficial to the protocol) exploitable by continually minting CREDIT and depleting the minting buffer, which will prevent anybody from unstaking or reducing their weight.
Tools Used
Manual review
Recommended Mitigation Steps
The
debtCeiling()function needs to be re-architected to ensure it only prevents unstaking based on a term's issuance.Assessed type
Other