Closed c4-bot-3 closed 5 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as primary issue
Opposing scenario to #205.
ditto-eth (sponsor) disputed
From known issues: https://github.com/code-423n4/2024-03-dittoeth?tab=readme-ov-file#automated-findings--publicly-known-issues "Currently allowed to redeem at any CR under 2, even under 1 CR."
Instead of using dUSD to redeem at < 1 CR (and not get full value in ETH) user should just primary liquidate instead and get fees. In case of empty order book the user could make an ask to match with the forced bid in order to fulfill the liquidate
hansfriese marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/RedemptionFacet.sol#L116-L125
Vulnerability details
Impact
The redemption rate increases too much when redeeming undercollateralized short records. The redeemer pays too much (or inconsistent) fees.
Proof of Concept
When proposing a redemption the amount proposed is what is redeemed as collateral from a short record. When an undercollateralized short record is redeemed on the
colRedeemed
, accounting for how much collateral has been redeemed, it is capped to the short record's collateral balance. The amount proposed is not similarly reduced, however. RedemptionFacet.sol#L116-L125:In this case
p.totalColRedeemed
is therefore smaller in value thanp.totalAmountProposed
.These are the values used to calculate the redemption fee:
Specifically, the redemption fee is proportional to
p.totalColRedeemed
, but the increase in base rate is proportional top.totalColRedeemed
Note how this effect can be used to assist an exploit described in my report titled "A successfully disputed redemption proposal has still increased the redemption fee base rate; exploit to depeg dUSD".
Recommended Mitigation Steps
If the collateral is insufficient to cover the proposed amount, reduce the proposed amount accordingly.
Assessed type
Other