search

code-423n4 / 2024-06-size-findings

0 stars 0 forks source link

If a user has placed both a buy limit order and a sell limit order, and the sell limit order has a lower APR, the user will be vulnerable to arbitrage. #60

Closed c4-bot-4 closed 2 months ago

c4-bot-4 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-06-size/blob/main/src/libraries/CapsLibrary.sol#L19-L44

Vulnerability details

Impact

If a user has placed both a buy limit order and a sell limit order, and the sell limit order has a lower APR, the user will be vulnerable to arbitrage.

Bug Description

The protocol allows users to place buy credit limit order and sell credit limit order. If a user has both buy and sell limit orders placed, and the sell limit order has a lower APR at a specific tenor, he will be arbitraged.

Here’s an example:

  1. User places a sell limit order with a tenor of 30 days and an APR of 20%, and a buy limit order with a tenor of 30 days and an APR of 10%.
  2. An arbitrager can buy the user’s sell limit order with X amount of cash tokens, receiving a future credit of 1.2X (excluding swap fees).
  3. The arbitrager can then sell the 1.2X credit to the user to fill the buy limit order, receiving 1.2X / 1.1 = 1.09X amount of cash tokens.

In the end, the arbitrager earns 0.09X amount of cash tokens, and the user is left with a loan to themselves.

Note that in order to avoid being arbitraged, the YieldCurves for user must not intersect, and the sell limit order YieldCurve must be strictly higher than buy limit order YieldCurve. However, currently there is no check for this.

In a traditonal CEX, if someone wants to place an order where the sell price is higher than the buy price, his sell price will be automatically cancelled. So similar to that, the protocol should also have such a mechanism to prevent users being arbitraged.

Proof of Concept

Presented above.

Tools Used

Manual review

Recommended Mitigation Steps

Few ways to mitigate this issue:

  1. Do not allow user to open both sell limit order and buy limit order.
  2. Add a check that sell limit order APR must be strictly above buy limit APR. This would involve a computational geometry detecting segment intersection, which is complicated to implement onchain. Thus the approach 1 is more recommended.

Assessed type

Other

hansfriese commented 2 months ago

User mistake

c4-judge commented 2 months ago

hansfriese marked the issue as unsatisfactory: Invalid