Closed c4-bot-8 closed 6 months ago
bytes032 marked the issue as insufficient quality report
The Warden describes how collateral with low interest and no other depositors can be exploited to lower a user's overall interest within their trove by donating it to its gate and exacerbating its effect with a flash loan.
The vulnerability relies on the assumption that the collateral has a lower interest value than other assets (making it lucrative) yet has no other depositors which is an invalid assumption.
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/core/shrine.cairo#L1529-L1550 https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/core/gate.cairo#L107-L116 https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/core/seer.cairo#L222-L225 https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/core/seer.cairo#L181-L184
Vulnerability details
Summary
The baseInterest rate is derived from the combined values of deposited yangs and the interest associated with each yang. If the trove exclusively deposits a yang with a lower interest rate, the trove owner can manipulate the base_interest. This manipulation involves obtaining a flash loan for the assets of the yang with the lower interest rate and transferring them to a gate. Since the trove owner is the sole holder at this gate, there is no loss incurred. The owner then updates the price using the seer module (as the value of assets in the gate has increased, though no new yang has been minted, resulting in inflated yang prices). Importantly, the assets are deposited without incurring any interest charges. Consequently, when interest is applied to the trove, it is heavily weighted towards this specific yang with the lower interest rate. After charging interest, the trove owner can simply withdraw a portion of the yangs and repay the flash loan. This strategy is effective when one of the yangs has a lower interest rate than the others and has only one depositor.
The greater the deposited value for a yang, the more pronounced the impact on the base interest, influenced by the interest rate of that specific yang. Therefore, with the increased value of the underlying yang, interest is more heavily weighted towards this specific yang.
Impact
Manipulation of base interest rate by a malicious user
Vulnerability Details
In the code snippet below, the base interest rate is influenced by both yang values and their respective interest rates. For instance, if we consider two yangs with identical values, where the first has a 5% interest rate and a deposit of 100, and the second has a deposit of 100 with a 10% interest rate, the resulting base interest rate would be 7.5. If we increase the value of the first yang the interest rate is directed towards the 5% rate. https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/core/shrine.cairo#L1529-L1550
Before every deposit interest is charged, so we need to inflate the yang price of that yang ( this is possible when there is one depositor ) so we transfer some assets to the gate as this doesn't mint new yangs so the ratio of assets is changed.
https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/core/gate.cairo#L107-L116
now we can call execute_task public function at seer module to update yang price based on new ratio and then charge interest with manipulated interest_rate. user can use flash loan to perform this manipulation. https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/core/seer.cairo#L181-L184 https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/core/seer.cairo#L222-L225
Tools Used
Manual Review
Assessed type
Other