search

code-423n4 / 2023-12-ethereumcreditguild-findings

17 stars 11 forks source link

Auction Sequence Manipulation Enables Token Value Extraction #214

Closed c4-bot-5 closed 9 months ago

c4-bot-5 commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/AuctionHouse.sol#L75-L113 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/AuctionHouse.sol#L118-L161 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/AuctionHouse.sol#L166-L196

Vulnerability details

Impact

The AuctionHouse liquidation process relies on sequential initialization and bidding. By creatively sandwiching or manipulating steps, attackers can extract disproportionate value from auctions.

Two phase collateral auctions run via these functions.

startAuction() getBidDetail() bid()

By offering increasing collateral for stable debt then decreasing debt for full collateral.

Cause:

No enforcement mechanisms couple the serialized assumptions of the model.

Attack Vectors:

Scenario:

  1. Alice defaults on loan, 5 ETH collateral

  2. Auction starts, but Alice sandwiches initialization

  3. Alice bids 100 ETH externally to clear 10 ETH debt

  4. Violates collateralization assumptions

Attackers can extract excess value from auctions compared to fair repayment terms.

Proof of Concept

The key functions enabling the collateral auction process:

AuctionHouse.startAuction() AuctionHouse.getBidDetail() AuctionHouse.bid()

Two-phase auctions run offering increasing collateral for stable debt, then full collateral for decreasing debt.

However, several assumptions could be violated by creative manipulation:

If liquidations started but bids manipulated to clear defaulted debt for pennies, massive value extraction potential exists.

For example, sandwiching startAuction() then bidding 100 ETH collateral worth for 1 wei debt repayment.

Impact

It enables violation of fair debt repayment assumptions upon default. Significant value extraction.

Recommended Mitigation Steps

  1. Tighter bid validation rules
  2. Use Chainlink Keepers for unbiasable automation
  3. Additional security audits

Assessed type

Governance

0xSorryNotSorry commented 10 months ago

how??

c4-pre-sort commented 10 months ago

0xSorryNotSorry marked the issue as insufficient quality report

Trumpero commented 9 months ago

Invalid assumptions and lacking evidence

c4-judge commented 9 months ago

Trumpero marked the issue as unsatisfactory: Invalid