Closed c4-bot-10 closed 4 months ago
ercDebtRate is admin-controlled and should be trusted.
raymondfam marked the issue as primary issue
raymondfam marked the issue as insufficient quality report
hansfriese marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibSRUtil.sol#L151-L163 https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibSRUtil.sol#L156-L161
Vulnerability details
updateErcDebt
function in theLibSRUtil
library is responsible for updating theercDebt
of a ShortRecord based on the currentercDebtRate
.ercDebt
with the difference between the currentercDebtRate
and the ShortRecord's storedercDebtRate
.ercDebt
, and the ShortRecord'sercDebtRate
is updated to the currentercDebtRate
.https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibSRUtil.sol#L151-L163
From the potential manipulation of the
ercDebtRate
parameter, which is stored in theAsset
struct and can be updated by the protocol.If an attacker can manipulate the
ercDebtRate
to a significantly higher value, it can inflate theercDebt
of ShortRecords when theupdateErcDebt
function is called.https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibSRUtil.sol#L156-L161
If the
ercDebtRate
is manipulated to a much higher value, theercDebt
calculation can result in a significant increase in the ShortRecord'sercDebt
.When the
updateErcDebt
function is called with the manipulatedercDebtRate
, it calculates an inflatedercDebt
adjustment for the ShortRecord.The inflated
ercDebt
is added to the ShortRecord's existingercDebt
, resulting in a sudden and significant increase in the ShortRecord's debt.This manipulation can cause ShortRecords that originally had low
ercDebt
to suddenly meet theminShortErc
requirement, making them eligible for liquidation.Impact
ercDebt
across multiple ShortRecords can overwhelm the liquidation process, causing congestion and potential instability in the system.ercDebtRate
can also alter the incentives for liquidators, as ShortRecords with inflatedercDebt
may appear more attractive for liquidation, leading to a skewed distribution of liquidation efforts.Proof of Concept
Manipulation of
ercDebtRate
to InflateercDebt
and Trigger Unexpected LiquidationsPace:
The attacker creates a large number of ShortRecords with low
ercDebt
values, below theminShortErc
threshold. For example:ercDebt
= 500 etherercDebt
= 600 etherercDebt
= 400 etherThe current
ercDebtRate
for the asset is set to a moderate value, let's say 1.2 (120%).The attacker manipulates the system to significantly increase the
ercDebtRate
for the asset. They manage to set theercDebtRate
to a much higher value, such as 10.0 (1000%).The
updateErcDebt
function is called for each ShortRecord, either through a system process or by the attacker themselves.Inside the
updateErcDebt
function, theercDebt
adjustment is calculated using the manipulatedercDebtRate
: https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibSRUtil.sol#L156For ShortRecord A:
ercDebt
= 500 ether * (10.0 - 1.2) = 4,400 etherFor ShortRecord B:
ercDebt
= 600 ether * (10.0 - 1.2) = 5,280 etherFor ShortRecord C:
ercDebt
= 400 ether * (10.0 - 1.2) = 3,520 etherThe calculated
ercDebt
adjustment is added to the existingercDebt
of each ShortRecord: https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibSRUtil.sol#L158-L161For ShortRecord A:
ercDebt
= 500 ether + 4,400 ether = 4,900 etherFor ShortRecord B:
ercDebt
= 600 ether + 5,280 ether = 5,880 etherFor ShortRecord C:
ercDebt
= 400 ether + 3,520 ether = 3,920 etherAs a result of the
ercDebtRate
manipulation and the subsequentupdateErcDebt
calls, theercDebt
of the ShortRecords has drastically increased.Assuming the
minShortErc
threshold is set to 1,000 ether, the inflatedercDebt
values now exceed this threshold, making the ShortRecords eligible for liquidation.Liquidators are now incentivized to liquidate these ShortRecords due to their high
ercDebt
values, even though they originally had low debt levels.The sudden influx of ShortRecords eligible for liquidation can overwhelm the liquidation process and create congestion in the system.
Hit:
Recommended Mitigation Steps
Implement strong access controls and validation mechanisms for updating the
ercDebtRate
. The protocol should enforce strict limits on the magnitude and frequency ofercDebtRate
changes to prevent sudden and drastic increases that can destabilize the system.Additionally, implementing rate-limiting mechanisms, circuit breakers, and multi-sig approvals for
ercDebtRate
updates can help mitigate the risk of manipulation by malicious actors.A
maxDebtRateIncrease
parameter is introduced to limit the maximum allowed increase inercDebtRate
during each update. If theercDebtRate
exceeds the ShortRecord's storedercDebtRate
by more thanmaxDebtRateIncrease
, it is capped to the maximum allowed value. This helps prevent sudden and drastic increases inercDebt
due toercDebtRate
manipulation.updateErcDebt
:Assessed type
Invalid Validation