search

sherlock-audit / 2024-06-makerdao-endgame-judging

1 stars 1 forks source link

panprog - User can bypass paying Lockstake borrow rate, effectively borrowing at 0 or small rate which is a loss of the protocol #68

Closed sherlock-admin3 closed 1 month ago

sherlock-admin3 commented 1 month ago

panprog

Medium

User can bypass paying Lockstake borrow rate, effectively borrowing at 0 or small rate which is a loss of the protocol

Summary

When user borrows NST from the Lockstake vault, he has to continously pay borrow fee at the rate set by the admin (protocol stability fee). The amount of NST owed by user should increase by this rate every second, which is technically done by increasing rate multiplier by calling jug.drip. Since Lockstake uses vat for borrowing, it inherits the known issue that jug.drip is not required to be called when repaying the debt, thus user will not pay any stability fee for the period from the last jug.drip transaction when repaying the debt.

While this issue is known, the new Lockstake engine makes this issue more severe, because it now becomes profitable for the attacker due to availability of reward farms for the NGT locked in the Lockstake. See below for Attack Path.

Root Cause

When borrowing from the Lockstake vault, the borrow rate is forced to be updated by calling jug.drip: https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeEngine.sol#L382-L383 However, when repaying, there is no such requirement, the last stored rate is used instead, which is outdated (smaller): https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeEngine.sol#L391-L394 The vat downstream doesn't (and can't) require rate update as well: https://github.com/makerdao/dss/blob/fa4f6630afb0624d04a003e920b0d71a00331d98/src/vat.sol#L143

This allows to borrow at the current rate, but repay at the old rate, effectively bypassing the stability fee.

Internal pre-conditions

At least 1 farm with rewards available for Lockstake. Attacker has big amount of funds available (considerable percentage of all lockstake depositors, say 1%-10%)

External pre-conditions

None

Attack Path

Suppose 1 NGT = 1000 DAI, Lockstake vault LTV is 70%, borrow annual rate is 12%, farm available to Lockstake gives out rewards at about 10% annual rate.

Loan preparation:

  1. Attacker has 100K NGT
  2. Flashloan 200M DAI
  3. Swap 200M DAI into 200K NGT
  4. Deposit 300K NGT into Lockstake
  5. Choose a farm with 10% annual rate
  6. Borrow 200M DAI (67% LTV)
  7. Repay 200M DAI flashloan

At this point attacker has 300K NGT Lockstake deposit with 200M DAI debt. This deposit generates $30M per year in rewards via the special farm available to Lockstake only.

Attack every N blocks:

  1. Flashloan 200M DAI
  2. Repay vault debt in full
  3. Call jug.drip
  4. Borrow the same amount again
  5. Repay flashloan

This allows to avoid paying any borrow fee in most periods (when there are no jug.drip calls) while still earning full reward from the farm, at the cost of gas only. Since the attacker has $30M profit per year, this is $11 per ethereum block (12 seconds). If the average gas cost is less than $11 per transaction, attacker can do this every block. However, if we check the real usage of jug.drip, even for the most active pools it's called only a few times per hour, often a few times per day. So attacker can choose N to be around 10-100 for the best trade-off to still pay almost 0 fees, but reduce his gas costs. In such case attacker will still pay borrow fees for a small percentage of time periods when jug.drip is called by the other user, but this is likely to be less than 10% of the time, so the attacker will effectively pay 1.2% instead of 12% borrow rate.

Impact

If the attacker has large amount of funds available and has large share of the Lockstake (say, 1%-10%), Protocol loses most stability fees from the attacker, which is up to 1%-10% of all stability fees from the Lockstake vault. Attacker avoids paying them while profiting from the farm (effectively getting about 25%-30% APR less gas fees instead of 10% APR in the example above).

PoC

Not needed

Mitigation

Consider fixing the vat to somehow require the borrow rate to be up-to-date when repaying, since the same attack is possible for all vaults, just has more incentive for attacker when doing it for the Lockstake vaults.

sunbreak1211 commented 1 month ago

This is a very well known limitation of the vat as stated in the issue. Providing a farm is an extra functionality that doesn't really depend on the leverage one. Today a user could be doing the same thing with any collateral and depositing in an external pool for profiting without paying the Maker fees doing the same method. We can argue that with Lockstake, it is even more dangerous to do it with MKR, as if for any reason this becomes non profitable anymore, you need to pay an exit fee to get back to original state. If Governance sees such of malicious value extraction can take actions and the depositor is tied to the exit fee. Similar as the Atlas will define for cases where a public wrapping token tries to avoid the exit fees.