Closed c4-bot-2 closed 5 months ago
This is a known behavior as per the docs and subject to MEV
0xSorryNotSorry marked the issue as insufficient quality report
Non-issue. Anyone can call a loan, and Guild's holders should call in the first part of auction to prevent loss and slashing. If the collateral loses value and collateral price goes under maxDebtPerCollateralToken
, the lending term should be off-boarded asap.
Trumpero marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/LendingTerm.sol#L339-L435 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/LendingTerm.sol#L634-L675 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/LendingTerm.sol#L725-L825 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/AuctionHouse.sol#L166-L196
Vulnerability details
Impact
A Borrower can use collateral price fluctuations(e.g. During bear markets) to call his own loans when the price of collateral is less than the debt value, and use this to pay less debt and get his collateral back.
this is possible with a conjunction of two variables, and because anyone can call loans even the borrower and the borrower can bid for his own loans.
Proof of Concept
Let's see the next full scenario:
Any contract(bot)/user can borrow credit from the ECG protocol by depositing collateral and asking to borrow against it, these loans are overcollateralized with collateral tokens, so a contract can deposit collateral to the system and ask for a debt in a lending term with partial repayments enables.
Once the bot has the loan, it has to wait for the conjunction of these two variables:
Wait for the Max Delay Between Partial Repayments to pass.
So with the conjunction of these two variables, the bot will call his own loan for auction.
Taking into account that the collateral value is less than the credit debt, no MEV bot nor any user will bid on the loan at least during the first part of the Auction where the collateral is offered and the full debt asked, cause they will be incurring losses if they bid, so the user's contract can wait to bid listening to the Mempool for a bid in his loan.
Once the second Part of the auction starts the whole collateral is offered and less and less credit is asked over time, so the user's bot can wait listening to the Mempool for a bid in his loan and letting the debt asked decrease over time, when the user's bot see a bid for his loan in the Mempool, he can front-run it and buy its own loan getting back his whole collateral and paying less debt credit for the loan.
Tools Used
Manual Review & Foundry
Recommended Mitigation Steps
A solution to this problem could be to deny the borrower from calling his own loans, or not allowing the borrower to bid on his own loans(but I think this is allowed as an opportunity for the borrower to recover his loan).
you can also let the borrower only bid in the first part of the auction and not in the second.
These are some ideas that could be analyzed and implemented to prevent this bad behavior.
Assessed type
Other