c4-pre-sort
commented
6 months ago 0xSorryNotSorry marked the issue as sufficient quality report
Closed c4-bot-8 closed 5 months ago
c4-pre-sort
commented
6 months ago 0xSorryNotSorry marked the issue as sufficient quality report
c4-pre-sort
commented
6 months ago 0xSorryNotSorry marked the issue as primary issue
eswak
commented
6 months ago in case if user was slashed [...] it doesn't replenish buffer
This is the expected behavior, The RateLimitedMinter for GUILD has a bufferCap, and this bufferCap acts as a "max total supply" for the GUILD token. At launch there are 1B potential GUILD tokens in existence, but as they get burnt (through the SGM or otherwise), the potential totalSupply is decreased. This is an important feature of the protocol because slashing bad actors then becomes a way for GUILD holders to increase their relative % of ownership over the GUILD supply, and that gives them an incentive to act.
c4-sponsor
commented
6 months ago eswak (sponsor) disputed
c4-judge
commented
5 months ago Trumpero marked the issue as unsatisfactory: Invalid
c4-judge
commented
5 months ago Trumpero marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/SurplusGuildMinter.sol#L166
Vulnerability details
Proof of Concept
When user stake gUSDC to the SurplusGuildMinter, then GUILD token is minted to him using rate limiter. Then in case if user was not slashed and he unstakes, then this GUILD token amount is replenished from buffer.
But in case if user was slashed, then all his balance is erased and
unstakefunction returns early and it doesn't replenish buffer in this case. As result buffer limit is smaller than it should be, because that GUILD will be burnt from SurplusGuildMinter voting balance.Impact
Rate limiter buffer is not up to date and will not allow minting in future as each slashing will not replenish buffer.
Tools Used
VsCode
Recommended Mitigation Steps
Even if user was slashed, replenish his GUILD balance.
Assessed type
Error