zraxx - The function `drip` will revert when diff is 0, which leads to the DOS of key functionalities.

[sherlock-admin4]

zraxx

Medium

The function drip will revert when diff is 0, which leads to the DOS of key functionalities.

Summary

In SNst.sol, the function withdraw, redeem, mint and deposit will be DOSed as the function drip reverts. This problem will occur in the following two scenarios:

1. When the difference between block.timestamp and rho is small, it may cause nChi to be the same as chi.
2. When the nsr is set to a smaller value, it may cause nChi to be the same as chi. **An extreme case is when nsr=RAY, nChi will always be equal to chi, which causes the contract to be permanently DOS until the admin updates it.**

Root Cause

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/sdai/src/SNst.sol#L214-L229

In SNst.sol:220, there is no check whether diff is 0, causing the parameter of nstJoin.exit to be 0.

Internal pre-conditions

No pre-conditions

External pre-conditions

No pre-conditions

Attack Path

Calls to the function withdraw, redeem, mint and deposit may fail at any time.

Impact

Users will not be able to withdraw, redeem, mint and deposit.

PoC

    function testJoinExitZero() public {
        address receiver = address(123);
        assertEq(nst.balanceOf(receiver), 0);
        assertEq(vat.dai(address(this)), 10_000 * RAD);
        vm.expectRevert("Vat/not-allowed");
        nstJoin.exit(receiver, 4_000 * WAD);
        vat.hope(address(nstJoin));
        vm.expectEmit(true, true, true, true);
        emit Exit(address(this), receiver, 4_000 * WAD);
        nstJoin.exit(receiver, 0);
   }

Please put this piece of code in the file NstJoin.t.sol. This piece of code will be reverted as the parameter of function nstJoin.exit is 0.

Mitigation

before calling the nstJoin.exit, check where diff is 0.

[telome]

Invalid submission. drip will not revert if diff is 0. The PoC reverts due to an incorrect initial vat.dai balance and incorrect Exit event wad value.