Closed c4-bot-2 closed 4 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as primary issue
The described POC isn't as discrete as it should be in #32, #33, and #34.
hansfriese marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/RedemptionFacet.sol#L224-L272 https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/RedemptionFacet.sol#L259 https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/RedemptionFacet.sol#L289-L291
Vulnerability details
Detailed Description
The calculation of the penalty for a successful dispute is performed in the
disputeRedemption
function. This allows users to dispute an invalid redemption proposal and rewards them with a portion of the disputed collateral as a penalty paid by the proposer.RedemptionFacet.sol#disputeRedemption
Key inputs to this function are
asset
(the asset being disputed),redeemer
(the address of the redeemer),incorrectIndex
(the index of the incorrect proposal),disputeShorter
(the address of the disputed ShortRecord), anddisputeShortId
(the ID of the disputed ShortRecord).Code responsible: RedemptionFacet.sol#L259, RedemptionFacet.sol#L289-L290
If there are any vulnerabilities or ways to manipulate the collateral ratio calculation, an attacker could potentially exploit this to gain unfair rewards or penalties.
An attacker could potentially exploit this to their advantage. They could manipulate the collateral ratios to make the disputed ShortRecord appear to have a significantly lower collateral ratio than the incorrect proposal, resulting in a higher penalty percentage and unfair rewards for the disputer.
Alternatively, an attacker could manipulate the collateral ratios to make a valid ShortRecord appear to have a higher collateral ratio than the incorrect proposal, leading to an invalid dispute and potential penalties for the honest disputer.
Impact
Proof of Concept
To develop a clear proof-of-concept (PoC) that demonstrates the issue with the collateral ratio calculation in the dispute process and its potential impact on the protocol and users, we can create a test scenario that exploits the vulnerability. Here's a step-by-step PoC:
Setup:
incorrectIndex
.Exploit:
disputeRedemption
function with the following inputs:asset
: The address of the asset being disputed.redeemer
: The address of the redeemer who made the incorrect proposal.incorrectIndex
: The index of the incorrect proposal.disputeShorter
: The address of the manipulated ShortRecord.disputeShortId
: The ID of the manipulated ShortRecord.Expected Result:
disputeRedemption
function should accurately compare the collateral ratios of the disputed ShortRecord and the incorrect proposal.Actual Result:
disputeRedemption
function compares the manipulated collateral ratio of the disputed ShortRecord (1.2) with the incorrect proposal's collateral ratio (1.5).Tools Used
Vs Code
Recommended Mitigation Steps
Assessed type
Invalid Validation