zraxx - The function `take` will cause the user to buy collateral exceeding the `max` price.

[sherlock-admin2]

zraxx

Medium

The function take will cause the user to buy collateral exceeding the max price.

Summary

The variable slice recalculation in the take function will cause the price of the collateral to increase, which may exceed the max price and cause losses to users.

Root Cause

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeClipper.sol#L332-L373 In LockstakeClipper.sol:373, the variable slice is recalculated and will be smaller than before, therefore, prices will rise accordingly which may exceed the max price. However, there is no check, which causes losses to users.

Internal pre-conditions

1. auth user calls function kick function to start a auction

External pre-conditions

No response

Attack Path

1. victim calls the function take.

Impact

Users will be affected by fund losses, and their losses may exceed 1%. For exampe, when the tab = 1000, price = 11, lot = 100, and user call the function take will amt = 100 and max =11 (which means he/she want to buy all the collateral ). Then, the owe = 1100, which exceeds the tab. Next, the slice will be recalculated to be 90(1000/11). However, the real price will become 11.11 (1000/90) at the same time, which exceeds the max price and the lose is 1%(0.11/11).

PoC

No response

Mitigation

Add a price check after the slice recalculation.

[telome]

This is not expected to be significant with real life amounts. In any case, this logic is unchanged from the original Maker clipper, so this is out of scope per the competition rules.