search

code-423n4 / 2024-03-dittoeth-findings

0 stars 0 forks source link

Insufficient Collateral Handling on Partial Short Exits #251

Closed c4-bot-2 closed 4 months ago

c4-bot-2 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/ExitShortFacet.sol#L198-L200

Vulnerability details

Description

the bug is in the exitShort function this functio is lies in the static adjustment of collateral without reevaluating the collateral ratio after the market bid's outcome. and this is fails to account for real-time fluctuations in market conditions, as price slippage or partial fulfillment of the exit order, leading to potentially under-collateralized positions. Specifically, the subtraction of e.ethFilled from short.collateral is performed without ensuring that the remaining collateral is adequate to maintain a safe collateral ratio, given the new reduced ERC debt (short.ercDebt -= e.ercFilled).

Impact

the bug is lead to potentially under-collateralized positions and attackers can exploit this by creating conditions for under-collateralization

Proof of Concept

i fuzz with this scenario
Buyback Amount: 82 ERC Price: 2 ETH per ERC Collateral: 56 ETH ERC Debt: 95 ERC

# Parameters
buyback_amount = 82  # ERC
price = 2  # ETH per ERC
collateral = 56  # ETH
erc_debt = 95  # ERC

# Calculation
eth_required = buyback_amount * price  # ETH required for the buyback

# Logic Check (Simulating Contract's Behavior)
if eth_required > collateral:
    print(f"Operation failed: Insufficient collateral. {eth_required} ETH required, but only {collateral} ETH available.")
else:
    new_collateral = collateral - eth_required  # This would be the bug in the contract logic
    print(f"Operation proceeded. New collateral: {new_collateral} ETH")

# Output from this scenario
print(f"ETH Required: {eth_required}, Available Collateral: {collateral}")

as result The ETH required for the buyback would be 82 * 2 = 164 ETH. and the available collateral is only 56 ETH the available collateral is only 56 ETH the check correctly identifies that the required 164 ETH exceeds the available 56 ETH of collateral, and as per the simulated condition

Operation failed: Insufficient collateral. 164 ETH required, but only 56 ETH available.

the logic for handling partial exits does not accurately adjust the collateral leading to potential inconsistencies in state.

Tools Used

manual review

Recommended Mitigation Steps

check after the bid is executed to compare the new collateral ratio against the initial ratio

Assessed type

Other

c4-pre-sort commented 5 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 5 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 5 months ago

raymondfam marked the issue as primary issue

raymondfam commented 5 months ago

Could have had more elaborate POC.

c4-sponsor commented 5 months ago

ditto-eth (sponsor) disputed

ditto-eth commented 5 months ago

exit short reverts when cr doesn't improves. see: https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/ExitShortFacet.sol#L204

c4-judge commented 4 months ago

hansfriese marked the issue as unsatisfactory: Invalid