tserg
commented
8 months ago This is exactly what was intended - if there is less value than debt, then the backing percentage would already exceed 100%, hence we cap it to 100%.
Closed c4-bot-1 closed 7 months ago
tserg
commented
8 months ago This is exactly what was intended - if there is less value than debt, then the backing percentage would already exceed 100%, hence we cap it to 100%.
c4-pre-sort
commented
7 months ago bytes032 marked the issue as insufficient quality report
alex-ppg
commented
7 months ago The Warden describes how the Caretaker module of the Opus system will utilize a fixed percentage backing for comparing collateral that backs the respective debt units.
This is intended, as the Caretaker is a module utilized for the deprecation of the protocol. If the prices of the underlying collaterals fluctuate, they should not be tracked by the Caretaker as the deprecation is final and evaluated at the time it is activated.
c4-judge
commented
7 months ago alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/core/caretaker.cairo#L341-L363 https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/core/caretaker.cairo#L215-L240
Vulnerability details
Summary
When the caretaker shuts down the shrine, it calculates the backing percentage (backing_pct). This percentage represents the value of collaterals used to support Yin assets. Users can reclaim their assets by burning minted Yin. However, a problem arises if the price of assets falls before everyone has reclaimed their assets. In such cases, users might not be able to reclaim their assets in full(this is not a problem but they will use a 1 USD pegged stablecoin(yin) instead of claim some collateral and this makes yin under collateralized), as they receive a proportion of assets relative to their Yin. This leads to under-collateralized Yin, and users may not be able to reclaim their assets due to losses. also price of yangs are not updated before calculating backing_pct.
Vulnerability Details
The caretaker's shut function computes the backing percentage (backing-pct). This ensures that for every Yin minted as debt, there are corresponding assets available for users to reclaim, equivalent to their value. For instance, if the total value of shrine yangs is 1000 USD and the total debt is 800 USD, 800 USD worth of assets would be set aside for users to reclaim. This means that for every Yin they burn, users would receive $1 worth of assets. https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/core/caretaker.cairo#L211-L240
then users can reclaim their assets through the reclaim function which would burn yin and transfer underlying collateral to user. https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/core/caretaker.cairo#L341-L363
If the value of the underlying collateral decreases, the assets earmarked for reclamation would have a lower value than the Yin tokens that users provide for reclamation. As a result, Yin tokens are under-collateralized which would be de-pegged from 1 USD
Impact
yins become under-collateralized
Tools Used
Manual Review
Recommended Mitigation Steps
You might want to consider increasing the backing percentage by an additional 1% to incentivize users to reclaim their assets promptly, mitigating potential risks associated with price fluctuations.
Assessed type
Other