Therefore, calling voteDelegate::lock(0) within the same block results in a revert.
This will cause the liquidation process: Dog::bark() -> LockstakeClipper::kick() -> LockstakeEngine::onKick() to revert.
function onKick(address urn, uint256 wad) external auth {
// Urn confiscation happens in Dog contract where ilk vat.gem is sent to the LockstakeClipper
(uint256 ink,) = vat.urns(ilk, urn);
uint256 inkBeforeKick = ink + wad;
@>> _selectVoteDelegate(urn, inkBeforeKick, urnVoteDelegates[urn], address(0));
_selectFarm(urn, inkBeforeKick, urnFarms[urn], address(0), 0);
lsmkr.burn(urn, wad);
urnAuctions[urn]++;
emit OnKick(urn, wad);
}
Thus, liquidation can be blocked .
Internal pre-conditions
No response
External pre-conditions
1. The position has borrowed a large amount of DAI, leading to the possibility of liquidation.
2. The MKR Oracle price drops, causing the position to meet the conditions for liquidation.
Attack Path
1. Stake a large amount of MKR or NGT.
2. Borrow a large amount of DAI.
3. The MKR Oracle price drops, causing the position to meet the conditions for liquidation.
4. Detect the transaction that initiates the liquidation of the position.
5. Front-run the liquidation by calling voteDelegate::lock(0).
6. The liquidation fails,
7. Repeat steps 4 and 5. making it possible for the position to never be liquidated.
Impact
This can make the position never be liquidated, causing the Maker protocol to incur losses.
ZeroTrust
Medium
An attacker can prevent liquidation by using the frontfun voteDelegate::lock() function when their position is being liquidated.
Summary
voteDelegate::lock() allows setting zero amount, enabling attackers to front-run the liquidation function with this function to block the liquidation.
Root Cause
And within VoteDelegateLike(voteDelegate).lock(), it calls chief.lock(wad);. https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/vote-delegate/src/VoteDelegate.sol#L85
In the chief contract, chief.free() cannot be called in the same block as chief.lock(). https://vscode.blockscan.com/ethereum/0x0a3f6849f78076aefaDf113F5BED87720274dDC0
Therefore, calling voteDelegate::lock(0) within the same block results in a revert. This will cause the liquidation process: Dog::bark() -> LockstakeClipper::kick() -> LockstakeEngine::onKick() to revert.
https://vscode.blockscan.com/ethereum/0x135954d155898D42C90D2a57824C690e0c7BEf1B
https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeClipper.sol#L229
https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeEngine.sol#L422
Thus, liquidation can be blocked .
Internal pre-conditions
No response
External pre-conditions
Attack Path
Impact
This can make the position never be liquidated, causing the Maker protocol to incur losses.
PoC
Mitigation
No response
Duplicate of #62