search

code-423n4 / 2024-01-salty-findings

11 stars 6 forks source link

Potential USDS Value Loss Due to Shortfall in Protocol #867

Closed c4-bot-8 closed 7 months ago

c4-bot-8 commented 7 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/main/src/stable/Liquidizer.sol#L115-L126

Vulnerability details

Impact

There's a risk that USDS may lose its 1:1 parity, leading to many undercollateralized positions that become impossible to liquidate due to inadequate incentives.

Proof of Concept

The protocol includes a safeguard for shortfalls, such as those that might occur in undercollateralized liquidations, by withdrawing a small percentage of Protocol Owned Liquidity (POL) and converting it to USDS for burning.

When Liquidizer::performUpkeep is called, it triggers _possiblyBurnUSDS. However, if the percentage of the protocol's assets is insufficient to maintain stability, and usdsBalance < usdsThatShouldBeBurned, the protocol's response is:

dao.withdrawPOL(salt, usds, PERCENT_POL_TO_WITHDRAW);
dao.withdrawPOL(dai, usds, PERCENT_POL_TO_WITHDRAW);

This withdrawal does not immediately convert to USDS for burning and relies on the next call of Liquidizer::performUpkeep. It doesn't verify if the 1% withdrawn is sufficient. In extreme circumstances, this approach could lead to a breakdown in the protocol, potentially causing a loss in USDS value due to not burning the necessary amount.

Tools Used

Manual code review

Recommended Mitigation Steps

Ensure the protocol has adequate solvency to handle such situations. Implement mechanisms that can promptly respond and mitigate risks, guaranteeing enough assets are converted to USDS for burning when necessary

Assessed type

Math

c4-judge commented 7 months ago

Picodes marked the issue as unsatisfactory: Insufficient proof