Since there are no caps on borrow amounts, a user can continuously borrow TAU risk free by monitoring the _disburseTau variables. Since the TAU will be borrowed with the collaterals yield it will be small amounts but risk free. Therefore, user has no reason to dump the TAU in secondary market since the tokens are basically free win.
Vulnerability Detail
Example: User A deposit 100 collateral tokens and not borrows anything. User A checks the tauWithheld, tokensLastDisbursedTimestamp, cumulativeTauRewardPerCollateral and userDetails[_account].lastUpdatedRewardPerCollateral. Once user satisfies with the calculated _extraRewardPerCollateral, user can derive the new cumulativeTauRewardPerCollateral hence the _rewardDiff. If rewardDiff is known in user end user can basically calculate the _tauEarned and borrow that amount. As long as gas fee < tauGains user will be in profit. Selling TAU to secondary market contionusly will break this strategies efficient eventually since the TAU amount in the secondary market will increase hence the price will decrease. User is waiving his potential reward yield over TAU rewards. So in theory user is not actually winning anything, user is just converting his yield from vaults reward token to TAU. However, this can hurt the system if the user is not doing this for profit but to damage the protocol. Also, if sometime in future TAU incentives added to the contract on top of the reward yield from collaterals this strategy will be profitable for user so he has a financial reason to do so. Extra TAU incentives can be given via this function:
https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Vault/TauDripFeed.sol#L51-L60
This is the whole point of the protocol! But to go into a little more detail, keep in mind that:
This strategy is technically not risk-free. The user will need to take out a loan before it can be paid off, so in the meantime (while rewards are being distributed second-by-second) the user will have an open loan.
When the user does not have an open loan, their rewards will instead be distributed to others in the protocol. The user would be more benefitted by taking out a slightly larger loan which will take more than a few hours to be repaid, and at that point we're talking about the central use case of Taurus.
mstpr-brainbot
medium
Free TAU borrows
Summary
Since there are no caps on borrow amounts, a user can continuously borrow TAU risk free by monitoring the _disburseTau variables. Since the TAU will be borrowed with the collaterals yield it will be small amounts but risk free. Therefore, user has no reason to dump the TAU in secondary market since the tokens are basically free win.
Vulnerability Detail
Example: User A deposit 100 collateral tokens and not borrows anything. User A checks the tauWithheld,
tokensLastDisbursedTimestamp
,cumulativeTauRewardPerCollateral
anduserDetails[_account].lastUpdatedRewardPerCollateral
. Once user satisfies with the calculated_extraRewardPerCollateral
, user can derive the newcumulativeTauRewardPerCollateral
hence the_rewardDiff
. If rewardDiff is known in user end user can basically calculate the_tauEarned
and borrow that amount. As long as gas fee < tauGains user will be in profit. Selling TAU to secondary market contionusly will break this strategies efficient eventually since the TAU amount in the secondary market will increase hence the price will decrease. User is waiving his potential reward yield over TAU rewards. So in theory user is not actually winning anything, user is just converting his yield from vaults reward token to TAU. However, this can hurt the system if the user is not doing this for profit but to damage the protocol. Also, if sometime in future TAU incentives added to the contract on top of the reward yield from collaterals this strategy will be profitable for user so he has a financial reason to do so. Extra TAU incentives can be given via this function: https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Vault/TauDripFeed.sol#L51-L60Impact
Code Snippet
https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Vault/BaseVault.sol#L92-L103
Tool used
Manual Review
Recommendation