Closed c4-bot-8 closed 9 months ago
0xSorryNotSorry marked the issue as sufficient quality report
0xSorryNotSorry marked the issue as duplicate of #1147
Trumpero marked the issue as duplicate of #1141
Trumpero marked the issue as satisfactory
Trumpero changed the severity to 2 (Med Risk)
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L154 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L191-L195
Vulnerability details
Impact
The
LendingTermOffboarding
contract has a potential issue that could lead to an inconsistent state in the system. This inconsistency could brick redemptions and disrupt the normal functioning of the lending term offboarding process.The issue arises when a lending term is offboarded and then immediately re-onboarded without the
cleanup()
function being called. This would allow anyone to immediately offboard the term again, leading to an incorrect value innOffboardingsInProgress
. This would in turn block the unpausing of redemptions in thePSM
as thenOffboardingsInProgress
variable could not be decreased down to 0 again.Proof of Concept
Consider the following sequence of events:
LendingTerm
is offboarded with the intention of calling all loans and immediately re-onboarding it (due to e.g. some loans being so old that the interest accrued brings them close to being underwater)LendingTerm
is immediately re-onboarded.cleanup()
function during the time it is being offboarded.canOffboard[term]
is stilltrue
, anyone can call theoffboard()
function again._deprecatedGauges
set again and increasesnOffboardingsInProgress
to 2.cleanup()
can only be called once ascanOffboard[term]
will befalse
on subsequent calls, which makes it impossible to unpause redemptions in thePSM
.https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L154 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L191-L195
Tools Used
Manual review
Recommended Mitigation Steps
To mitigate this issue, consider adding a check in the
proposeOnboard()
function to ensure that a term cannot be re-onboarded if it hasn't been cleaned up. This could be done by checking ifLendingTermOffboarding.canOffboard[term]
isfalse
before allowing the term to be onboarded.Assessed type
Other