search

sherlock-audit / 2024-06-makerdao-endgame-judging

1 stars 1 forks source link

kevinkien - Insufficient Input Validation in the kick and take Functions of LockstakeClipper Contract #38

Closed sherlock-admin3 closed 1 month ago

sherlock-admin3 commented 1 month ago

kevinkien

Medium

Insufficient Input Validation in the kick and take Functions of LockstakeClipper Contract

Summary

The kick and take functions in the LockstakeClipper contract have some input validation, but it could be more robust. Specifically, there's a lack of checks to ensure that the tab (debt) is greater than a minimum value. This could lead to economically inefficient liquidations.

Vulnerability Detail

In the kick function, the tab parameter represents the outstanding debt of a CDP that is being liquidated. Currently, the contract only checks that the tab is not zero. However, it doesn't enforce a minimum threshold for the tab amount. This means that even very small debts could trigger a liquidation process, which might not be economically justifiable due to the gas costs associated with the auction.

Similarly, in the take function, where users can purchase collateral from the auction, there's no check to ensure that the remaining tab after a partial purchase is above a minimum threshold. This could result in leftover auctions with very small remaining debts that might never be cleared, as keepers may not find it profitable to participate in such auctions due to the high gas costs relative to the potential reward.

Impact

Economic Inefficiency: Liquidations could be triggered for CDPs with very small debts, resulting in unnecessary gas costs for both the system and the users involved. Stale Auctions: Partial purchases could leave behind auctions with very small remaining debts, making them unattractive to keepers and potentially clogging up the system with uncleared auctions.

Code Snippet

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeClipper.sol#L229-L271

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeClipper.sol#L332-L426

Tool used

Manual Review

Recommendation

add minimum debt checks in both the kick and take functions. This can be done by introducing a constant or a configurable variable to define the minimum allowed debt.

For the kick function:

require(tab >= MIN_DEBT, "LockstakeClipper/tab-too-small");

For the take function:

// ... (inside the take function)
uint256 remainingTab = tab - owe;
require(remainingTab == 0 || remainingTab >= MIN_DEBT, "LockstakeClipper
telome commented 1 month ago

For kicking there is validation for dust in the DOG (https://github.com/makerdao/dss/blob/master/src/dog.sol#L194). For taking there is validation of dust using the chost parameter - https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeClipper.sol#L377

In general this code is unchanged from the old clipper so out of scope.