Closed c4-bot-8 closed 5 months ago
Picodes marked the issue as primary issue
othernet-global (sponsor) disputed
This is acceptable as the automatic arbitrage mechanic prevents symmetrical swapping in that arbitrage happens after the user's first swap putting the attacker at a disadvantage when they try to restore their original position.
Picodes marked issue #222 as primary and marked this issue as a duplicate of 222
Picodes marked the issue as satisfactory
Picodes changed the severity to 2 (Med Risk)
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/stable/CollateralAndLiquidity.sol#L232-L233
Vulnerability details
Users are able deposit WBTC/WETH liquidity as collateral for borrowing USDS, they are allowed to borrow 50% of their collateral value.
The amount of collateral that the user has deposited is determined by their proportion of the shares and the reserves:
https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/stable/CollateralAndLiquidity.sol#L232-L233
The problem here is that the reserves dont have to be always correctly balanced using the correct market value ratio so this can be abused by an attacker.
Example 1:
Price of 1 WBTC = 10,000 USD price of 1 WETH = 1000 USD
If the attacker is not the first depositor then this attack is still possible:
Example 2:
However, the second attack is only profitable when arbitrage does not happen(because the arbitrage would rebalance the pool after the large swap) but because the SALT pools are built slowly, this attack will still be possible until there is enough liquidity for arbitrage to happen.
Impact
The attacker will be able to profit from this and mint a large amount of USDS, this will also create bad debt and the protocol will suffer big loses right after the launch.
Proof of Concept
I have included a PoC for both examples described above. Add this to
CollateralAndLiquidity.t.sol
. As you can see the attacker will be able to profit a lot from this. Flash loans can be used to perform this attackTools Used
Foundry
Recommended Mitigation Steps
I believe this issue will only be present right after the launch before there is enough liquidity in WBTC/WETH and the SALT pools. So one way to mitigate this would be to allow borrowing only after some time and after the pools are built and have liquidity.
Assessed type
Other