J4de - After the stop level of `LockstakeClipper` is reduced from `3`, users can buy collateral at extremely low prices

[sherlock-admin2]

J4de

Medium

After the stop level of LockstakeClipper is reduced from 3, users can buy collateral at extremely low prices

Summary

After the stop level of LockstakeClipper is reduced from 3, users can buy collateral at extremely low prices

Vulnerability Detail

The LockstakeClipper contract has 4 stopped levels

• 0: no breaker
• 1: no new auctions
• 2: no new auctions or restarted auctions
• 3: no new auctions, restart auctions and buys

LockstakeClipper uses a dutch auction, which means that the longer the auction starts, the lower the price of the collateral. When the stopped is set to 3, no one can buy collateral, but the price is still falling. Once stopped is changed, users can immediately buy collateral at a very low price.

Impact

Users can buy collateral at a lower price, causing losses to the protocol.

Code Snippet

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeClipper.sol#L338

Tool used

Manual Review

Recommendation

It is recommended that all auctions should be restarted after the stopped value is reduced from 3.

[telome]

From the competition rules: "Using the "stopped" states in the lockstake clipper is assumed to be used by wards in an extreme emergency. It is a known risk that some of the system attributes and functionality may not hold afterwards, including risking user and system funds. This includes also LSE special functionality (allowing exit of auctions leftover, not burning fees, delegating, staking, etc..)."

Also note that such problems with this emergency mechanism exist in the legacy Maker clippers, so are out of scope for the competition.