Closed sherlock-admin3 closed 1 month ago
This is clearly specified in the scope...
"wipeAll and wipe do not drip because it is actually not convenient for the user to do a drip call on wipping. Then, if we force the drip, we are incentivizing users to repay directly to the vat (which is possible) instead of using the engine for that. We are mimicking the old proxy actions behaviour, where we drip for drawing, as otherwise the user can lose money, but not forcing the drip on wiping so users actually use this function."
zhoo
Medium
LockstakeEngine.wipe did not update the rate
Summary
LockstakeEngine.wipe did not update the rate
Root Cause
LockstakeEngine.draw
uses the return value ofjug.drip
as rate, and the rate is the updated rate. However, wipe uses thevate.ilks
function to obtain the rate, which is not updated at this time.jug.drip function: https://github.com/makerdao/dss/blob/fa4f6630afb0624d04a003e920b0d71a00331d98/src/jug.sol#L122
LockstakeEngine: https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/dba30d7a676c20dfed3bda8c52fd6702e2e85bb1/lockstake/src/LockstakeEngine.sol#L382
See the
wipe
implementation in another older version:https://github.com/makerdao/dss-allocator/blob/6304bfd3f567630636244cb2ca3b58dd415592fa/src/AllocatorVault.sol#L142
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
LockstakeEngine.draw
rate
has been updated after a period of time, but no other user has performeddraw
, and rate has not been updated.LockstakeEngine.wipe
using the old rateImpact
The old rate was used, resulting in the loss of funds.
PoC
No response
Mitigation
Duplicate of #66