search

sherlock-audit / 2023-08-cooler-judging

2 stars 0 forks source link

Mlome - `Clearinghouse` is giving away undercollateralized loans because of constant rate #87

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

Mlome

high

Clearinghouse is giving away undercollateralized loans because of constant rate

Summary

All the loans created by Clearinghouse have a fixed rate of 3,000 DAI/gOHM which is less than the current price (~$2900 as of August 2023). Hence, Clearinghouse is giving away money!

Vulnerability Detail

The LOAN_TO_COLLATERAL rate is hardcoded as a constant to 3000e18 in the Clearinghouse contract. This means that all the loans created by Clearinghouse have a rate of 3,000 DAI/gOHM

File Clearinghouse.sol

L55: uint256 public constant LOAN_TO_COLLATERAL = 3000e18;       // 3,000 DAI/gOHM

Proof of Concept

This test that can be added to Clearing.t.sol shows how requesting 3000 DAI (worth $3000) requires only 1e18 gOHM (worth ~$2900 at time of writing).

function test_BUG_undercollateralized_loan() public {
    uint256 loanAmount_ = 3000e18;
    // Requesting a loan of 3000e18 DAI
    (Cooler cooler, uint256 gohmNeeded, uint256 loanID) = _createLoanForUser(loanAmount_);

    // 1e18 gOHM were sent as collateral
    assertEq(gohm.balanceOf(address(cooler)), 1e18);
    assertEq(dai.balanceOf(address(user)), 3000e18);

    console.log("Cooler has", gohm.balanceOf(address(cooler)), "gOHM"); // Cooler has 1000000000000000000 gOHM
    console.log("User has  ", dai.balanceOf(address(user)), "DAI");     // User has   3000000000000000000000 DAI       
}

Impact

Clearinghouse is giving away undercollateralized loans as soon as the price of gOHM goes bellow $3000. So, if the price of gOHM goes below $3000 (which is currently the case) the treasury can be drained (up to FUND_AMOUNT, i.e. 18 million) by requesting undercollateralized loans.

The protocol can be drained in on transaction by leveraging a flashloan:

  1. Attacker takes a flashloan of gOHM
  2. Attacker takes a loan of FUND_AMOUNT (18 million DAI)
  3. Attacker sells the DAI for gOHM
  4. Attacker reimburses the flashloan and takes the profit

Code Snippet

https://github.com/ohmzeus/Cooler/blob/c6f2bbe1b51cdf3bb4d078875170177a1b8ba2a3/src/Clearinghouse.sol#L55

Tool used

Manual Review

Recommendation

LOAN_TO_COLLATERAL should not be a constant and should be updatable by the governance.

sherlock-admin commented 1 year ago

2 comment(s) were left on this issue during the judging contest.

0xyPhilic commented:

invalid because this incentivises arbitrages in order to keep the gOHM price at 3k accross AMMs and it seems like a design choice

oot2k commented:

intended design

MiniGlome commented 1 year ago

So the first buyers will get free money?

MiniGlome commented 1 year ago

In my opinion this is a valid issue (at least Medium) as the price should be fixed at deployment time to the current trading price to avoid huge arbitrage to the detriment of the protocol. The protocol will loose funds if the contract is deployed when the gOHM price is < $3000.