c4-judge
commented
5 months ago Picodes marked the issue as satisfactory
Open c4-bot-6 opened 6 months ago
c4-judge
commented
5 months ago Picodes marked the issue as satisfactory
Lines of code
Vulnerability details
C4 Issue
https://github.com/code-423n4/2024-01-salty-findings/issues/137
Comments
The core issue arises from the mechanism within the Liquidizer contract for handling USDS repayments, where repaid USDS is earmarked for burning but not immediately destroyed. Instead, the amount to be burnt is tracked and increased with each repayment, but without a corresponding increase in the Liquidizer's actual USDS balance. During upkeep, if the Liquidizer lacks sufficient USDS to burn the tracked amount, it resorts to liquidating Protocol Owned Liquidity (POL) to obtain USDS for burning, aiming to manage bad debt from liquidations. This system, inherently reliant on POL to cover any shortfall in USDS, risks depleting POL reserves. If POL is exhausted, the protocol faces a critical inability to cover bad debt, potentially destabilizing USDS's value.
Mitigation
https://github.com/othernet-global/salty-io/commit/8e3231d3f444e9851881d642d6dd03021fade5ed
The mitigation for this issue revolved around the deprecation of number of key components including the removal of the overcollateralized USDS stablecoin framework, which also meant borrowing of USDS no longer exists. POL itself was also deprecated due to a number of reasons, one of which is that it was no longer needed to cover bad debt, since there will be none.
Conclusion
LGTM