If the Redemption requested ShortRecord is closed for various reasons and then canceled redemption by disputeRedemption, the user cannot get the collateral back because the ShortRecord has already been closed.
function disputeRedemption(address asset, address redeemer, uint8 incorrectIndex, address disputeShorter, uint8 disputeShortId)
external
isNotFrozen(asset)
nonReentrant
{
...
MTypes.ProposalData[] memory decodedProposalData =
LibBytes.readProposalData(redeemerAssetUser.SSTORE2Pointer, redeemerAssetUser.slateLength);
...
if (disputeCR < incorrectProposal.CR && disputeSR.updatedAt + C.DISPUTE_REDEMPTION_BUFFER <= redeemerAssetUser.timeProposed)
{
// @dev All proposals from the incorrectIndex onward will be removed
// @dev Thus the proposer can only redeem a portion of their original slate
for (uint256 i = incorrectIndex; i < decodedProposalData.length; i++) {
@> currentProposal = decodedProposalData[i];
@> STypes.ShortRecord storage currentSR = s.shortRecords[d.asset][currentProposal.shorter][currentProposal.shortId]; // The currentSR might be closed
@> currentSR.collateral += currentProposal.colRedeemed;
@> currentSR.ercDebt += currentProposal.ercDebtRedeemed;
d.incorrectCollateral += currentProposal.colRedeemed;
d.incorrectErcDebt += currentProposal.ercDebtRedeemed;
}
...
} ...
}
For example:
Alice ShortRecord #3 is in proposesRedemption . There is remaining ercDebt and collateral in ShortRecord #3 due to redemptionAmount.
Alice calls exitShortWallet . Now the ShortRecord #3 is closed.
Bob calls disputeRedemption, canceling Alice's ShortRecord #3 redemption. It returns ercDebt and collateral to ShortRecord #3.
But Alice's ShortRecord #3 is already closed. Alice can't handle the collateral or ercDebt of this short.
There are many scenarios where ShortRecord #3 could be closed unintentionally. For example, if the same ShortRecord is called proposeRedemption twice due to redemptionAmount , first claim could close ShortRecord #3. Even if a dispute occurs in the other proposal later, Alice cannot handle the returned funds. Since it's closed, it can't be requested to redeem or liquidate again.
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/RedemptionFacet.sol#L264-L268
Vulnerability details
Impact
The user loses collateral.
Proof of Concept
If the Redemption requested ShortRecord is closed for various reasons and then canceled redemption by
disputeRedemption
, the user cannot get the collateral back because the ShortRecord has already been closed.For example:
proposesRedemption
. There is remaining ercDebt and collateral in ShortRecord #3 due toredemptionAmount
.exitShortWallet
. Now the ShortRecord #3 is closed.disputeRedemption
, canceling Alice's ShortRecord #3 redemption. It returns ercDebt and collateral to ShortRecord #3.There are many scenarios where ShortRecord #3 could be closed unintentionally. For example, if the same ShortRecord is called
proposeRedemption
twice due toredemptionAmount
, first claim could close ShortRecord #3. Even if a dispute occurs in the other proposal later, Alice cannot handle the returned funds. Since it's closed, it can't be requested to redeem or liquidate again.This is PoC. Add it to the Redemption.t.sol file.
Tools Used
Manual Review
Recommended Mitigation Steps
Prevent redeeming ShortRecord from being closed.
Assessed type
Other