Closed sherlock-admin3 closed 1 month ago
This is a very well known limitation of the vat as stated in the issue. Providing a farm is an extra functionality that doesn't really depend on the leverage one. Today a user could be doing the same thing with any collateral and depositing in an external pool for profiting without paying the Maker fees doing the same method. We can argue that with Lockstake, it is even more dangerous to do it with MKR, as if for any reason this becomes non profitable anymore, you need to pay an exit fee to get back to original state. If Governance sees such of malicious value extraction can take actions and the depositor is tied to the exit fee. Similar as the Atlas will define for cases where a public wrapping token tries to avoid the exit fees.
panprog
Medium
User can bypass paying Lockstake borrow rate, effectively borrowing at 0 or small rate which is a loss of the protocol
Summary
When user borrows NST from the Lockstake vault, he has to continously pay borrow fee at the rate set by the admin (protocol stability fee). The amount of NST owed by user should increase by this rate every second, which is technically done by increasing
rate
multiplier by callingjug.drip
. SinceLockstake
usesvat
for borrowing, it inherits the known issue thatjug.drip
is not required to be called when repaying the debt, thus user will not pay any stability fee for the period from the lastjug.drip
transaction when repaying the debt.While this issue is known, the new Lockstake engine makes this issue more severe, because it now becomes profitable for the attacker due to availability of reward farms for the NGT locked in the Lockstake. See below for Attack Path.
Root Cause
When borrowing from the Lockstake vault, the borrow
rate
is forced to be updated by callingjug.drip
: https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeEngine.sol#L382-L383 However, when repaying, there is no such requirement, the last storedrate
is used instead, which is outdated (smaller): https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeEngine.sol#L391-L394 Thevat
downstream doesn't (and can't) require rate update as well: https://github.com/makerdao/dss/blob/fa4f6630afb0624d04a003e920b0d71a00331d98/src/vat.sol#L143This allows to borrow at the current rate, but repay at the old rate, effectively bypassing the stability fee.
Internal pre-conditions
At least 1 farm with rewards available for Lockstake. Attacker has big amount of funds available (considerable percentage of all lockstake depositors, say 1%-10%)
External pre-conditions
None
Attack Path
Suppose 1 NGT = 1000 DAI, Lockstake vault LTV is 70%, borrow annual rate is 12%, farm available to Lockstake gives out rewards at about 10% annual rate.
Loan preparation:
At this point attacker has 300K NGT Lockstake deposit with 200M DAI debt. This deposit generates $30M per year in rewards via the special farm available to Lockstake only.
Attack every
N
blocks:jug.drip
This allows to avoid paying any borrow fee in most periods (when there are no
jug.drip
calls) while still earning full reward from the farm, at the cost of gas only. Since the attacker has $30M profit per year, this is $11 per ethereum block (12 seconds). If the average gas cost is less than $11 per transaction, attacker can do this every block. However, if we check the real usage ofjug.drip
, even for the most active pools it's called only a few times per hour, often a few times per day. So attacker can chooseN
to be around 10-100 for the best trade-off to still pay almost 0 fees, but reduce his gas costs. In such case attacker will still pay borrow fees for a small percentage of time periods whenjug.drip
is called by the other user, but this is likely to be less than 10% of the time, so the attacker will effectively pay 1.2% instead of 12% borrow rate.Impact
If the attacker has large amount of funds available and has large share of the Lockstake (say, 1%-10%), Protocol loses most stability fees from the attacker, which is up to 1%-10% of all stability fees from the Lockstake vault. Attacker avoids paying them while profiting from the farm (effectively getting about 25%-30% APR less gas fees instead of 10% APR in the example above).
PoC
Not needed
Mitigation
Consider fixing the
vat
to somehow require the borrow rate to be up-to-date when repaying, since the same attack is possible for all vaults, just has more incentive for attacker when doing it for the Lockstake vaults.