The issue described an edge case in the DAO where it can claim SALT rewards without properly distributing them according to the intended mechanism: a portion to the team wallet, another portion burned, and the rest retained in the DAO's balance. This situation arises during the upkeep process on the Liquidizer contract, particularly when the USDS amount set for burning exceeds the Liquidizer's current balance. To cover the shortfall, the protocol withdraws Protocol-Owned Liquidity (POL) from the USDS/DAI and USDS/SALT pools. This liquidity withdrawal results in rewards being distributed to the DAO proportional to the decreased share of liquidity, but without following through with the steps where a share of these rewards should be sent to the team wallet and a portion burned.
The mitigation for this issue revolved around the deprecation of number of key components including the removal of the overcollateralized USDS stablecoin framework, which also meant borrowing of USDS no longer exists. POL itself was also deprecated due to a number of reasons, one of which is that it was no longer needed to cover bad debt or shortfalls in USDS, since there will be none.
Lines of code
Vulnerability details
C4 Issue
https://github.com/code-423n4/2024-01-salty-findings/issues/333
Comments
The issue described an edge case in the DAO where it can claim SALT rewards without properly distributing them according to the intended mechanism: a portion to the team wallet, another portion burned, and the rest retained in the DAO's balance. This situation arises during the upkeep process on the Liquidizer contract, particularly when the USDS amount set for burning exceeds the Liquidizer's current balance. To cover the shortfall, the protocol withdraws Protocol-Owned Liquidity (POL) from the USDS/DAI and USDS/SALT pools. This liquidity withdrawal results in rewards being distributed to the DAO proportional to the decreased share of liquidity, but without following through with the steps where a share of these rewards should be sent to the team wallet and a portion burned.
Mitigation
https://github.com/othernet-global/salty-io/commit/eaf40ef0fa27314c6e674db6830990df68e5d70e
The mitigation for this issue revolved around the deprecation of number of key components including the removal of the overcollateralized USDS stablecoin framework, which also meant borrowing of USDS no longer exists. POL itself was also deprecated due to a number of reasons, one of which is that it was no longer needed to cover bad debt or shortfalls in USDS, since there will be none.
Conclusion
LGTM