Closed sherlock-admin4 closed 5 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid; medium(12)
While a valid finding, this is a tradeoff between mathematical complexity (i.e. gas costs) of performing exponential penalties vs simplicity. If someone notices early that a minter missed an update, they can "poke" their account to be hit with a penalty, thus allowing for exponential penalties by doing that every update interval. If no one notices, then a linear penalty rate will apply. This actually incentives people to watch minters' accounts to ensure the max penalties are applied. After "enough" missed updates (up to governance) the minter will be removed. Therefore, the existing mechanic is favourable to the protocol to ensure people are watching and not letting a minter go derelict unnoticed.
Consider if the contract automatically computed exponential penalties, it is more likely that the minter's derelict status goes unnoticed for longer (since no one is incentivized to "poke" their account), and their actual off-chain collateral may not be enough o back their on-chain debt, and thus M.
So, long story short, it is a valid finding, but a known one that kinda works in the greater protocol's favor, that saves on gas/complexity, and won't be "fixed". I'm not sure this is an issue.
@deluca-mike Was this implied as a design choice publicly during the time of the audit? I believe medium severity is appropriate otherwise.
This is an expected by-design situation. Minter should be incentivized to update their collateral as soon as possible, especially if they missed an interval already. If there is an economic incentive for any actor in the system to catch non-compliant minters it will be done via burnM
function. We put extra care to avoid penalization of minters twice for the same missed intervals to give minters time to update their collateral in the next interval after the missed one.
@nevillehuangΒ It can be considered as an issue only if minters are penalized more than once for missed collateral updates.
@toninorair Did you have a chance to look at the duplicates, #5, #49 and #79? Are they duplicates? This issue wise I definitely agree with invalidating based on the following rule
- Design decisions are not valid issues. Even if the design is suboptimal, but doesn't imply any loss of funds, these issues are considered informational.
@nevillehuang 5 and 49 are duplicates, 79 is not. I will double-check 79 again, but 5, 49, and 37 are the same an invalid from our perspective.
0xpiken
medium
A malicious user could cause the
M
Minter to incur more penalties by callingburnM()
Summary
A malicious user could cause the Minter to incur more penalties by calling
burnM()
Vulnerability Detail
Minters maintain their on-chain collateral value by calling
MinterGateway#updateCollateral()
periodically. They have to pay penalty if they fail to callupdateCollateral()
within Update Collateral Interval of the previous time they called it. The penalty will be calculated as below at the time of nextupdateCollateral()
:ππππππ‘π¦ππππ‘ππ = πππ‘ππ£πππ€πππππππ‘ππ πππ π πππΌππ‘πππ£πππ ππ’π ππππππ‘π¦π ππ‘π
Any
M
holder can repay M owed by a Minter by callingburnM()
. The penalty will be updated inburnM()
if the Minter miss collateral updates within Update Collateral Interval. A malicious user could compound the penalty by periodically callingburnM()
:ππππππ‘π¦ππππ‘ππ = πππ‘ππ£πππ€πππππππ‘ππ * ((1+ππππππ‘π¦π ππ‘π) πππ π πππΌππ‘πππ£πππ ππ’π - 1)
As we can see, a malicious user could theoretically increase the penalty of the Minter who missed πππ π πππΌππ‘πππ£πππ ππ’π of Update Collateral Interval as below: πππ‘ππ£πππ€πππππππ‘ππ ((1+ππππππ‘π¦π ππ‘π) πππ π πππΌππ‘πππ£πππ ππ’π - 1) - πππ‘ππ£πππ€πππππππ‘ππ πππ π πππΌππ‘πππ£πππ ππ’π ππππππ‘π¦π ππ‘π = πππ‘ππ£πππ€πππππππ‘ππ ((πππ π πππΌππ‘πππ£πππ ππ’π! ππππππ‘π¦π ππ‘π2 / ((πππ π πππΌππ‘πππ£πππ ππ’π-2)! 2!) + (πππ π πππΌππ‘πππ£πππ ππ’π! ππππππ‘π¦π ππ‘π2 / ((πππ π πππΌππ‘πππ£πππ ππ’π-3)! 3!) + ...)
Copy below codes to Integration.t.sol and run
forge test --match-test test_CompoundedPenaltyByCallingBurnM
Impact
A malicious user could cause the Minter to incur more penalties by calling
burnM()
Code Snippet
https://github.com/sherlock-audit/2023-10-mzero/blob/main/protocol/src/MinterGateway.sol#L343
Tool used
Manual Review
Recommendation
When
burnM()
is called to repay M owed by a Minter, consider imposing a minimum threshold on the amount of M to be repaid if the Minter is subject to penalty of missing collateral update.