Open c4-bot-9 opened 9 months ago
Picodes marked the issue as duplicate of #618
Picodes marked the issue as satisfactory
Picodes marked the issue as selected for report
othernet-global (sponsor) confirmed
The stablecoin framework: /stablecoin, /price_feed, WBTC/WETH collateral, PriceAggregator, price feeds and USDS have been removed:
https://github.com/othernet-global/salty-io/commit/88b7fd1f3f5e037a155424a85275efd79f3e9bf9
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/stable/CollateralAndLiquidity.sol#L125-L128
Vulnerability details
Description
When a user repays the USDS he has borrowed, it is taken from him and kept for burning. The Liquidizer contract is updated with the new amount repaid. The USDS is burnt whenever the
performUpkeep
function is called on Liquidizer by the Upkeep contract during upkeep.The USDS collected is sent to the USDS contract which can be burned whenever
burnTokensInContract
is called. The amount of USDS to be burnt in the Liquidizer contract is also increased by theincrementBurnableUSDS
call. This increases theusdsThatShouldBeBurned
variable on the Liquidizer.During upkeep, the Liquidizer first checks if it has enough USDS balance to burn i.e
usdsBalance >= usdsThatShouldBeBurned
. If it does it burns them else it converts Protocol Owned Liquidity (POL) to USDS and burns it to cover the deficit. Burning POL allows the protocol to cover bad debt from liquidation.Since the
usdsThatShouldBeBurned
variable will always be increased without increasing the Liquidizer balance, it will always sell POL to cover the increase.If the POL is exhausted, the protocol cannot cover bad debt generated from liquidations. This will affect the price of USDS negatively.
An attacker can borrow and repay multiple times to exhaust POL and create bad debt or it could just be done over time as users repay their USDS.
Impact
This will affect the price of USDS negatively.
Proof of Concept
This test can be run in CollateralAndLiquidity.t.sol.
Tools Used
Manual Analysis
Recommended Mitigation Steps
Send the repaid USDS to the Liquidizer.
Assessed type
Token-Transfer