// Cancel an auction during End.cage or via other governance action.
function yank(uint256 id) external auth lock {
require(sales[id].usr != address(0), "LockstakeClipper/not-running-auction");
dog.digs(ilk, sales[id].tab);
uint256 lot = sales[id].lot;
@>> vat.flux(ilk, address(this), msg.sender, lot);
@>> engine.onRemove(sales[id].usr, 0, 0);
_remove(id);
emit Yank(id);
}
In the yank() function, we can see that only the accounting of the collateral is transferred to msg.sender. However, MKR is neither transferred to msg.sender nor is lsmkr minted to msg.sender. This will result in msg.sender being unable to withdraw MKR from the LockstakeEngine.
Let’s take a look at the LockstakeEngine::free() function.
It can be seen that due to the lack of lsmkr token, _free() will revert, causing free() to also revert. As a result, msg.sender will never receive the MKR they are entitled to, and the MKR will be permanently locked in the LockstakeEngine. msg.sender only receives the accounting of the collateral, but not the collateral itself, and cannot extract the collateral.
Internal pre-conditions
To remove the liquidated auction, use the yank function.
External pre-conditions
There is a position that meets the liquidation conditions.
Initiate the liquidation auction.
Attack Path
1. There is a position that meets the liquidation conditions.
2. Initiate the liquidation auction.
3. Use the yank function to remove the liquidated auction.
Impact
The liquidated MKR is permanently locked in the LockstakeEngine, leading to a loss of funds.
PoC
function testClipperYankRevert4FreeMkr() public{
address urn = _urnSetUp(false, false);
uint256 id = _forceLiquidation(urn);
//mkr number for
(,, uint256 lot,, address usr,,) = clip.sales(id);
console2.log("lot is ", lot);
vm.expectEmit(true, true, true, true);
emit OnRemove(urn, 0, 0, 0);
vm.prank(pauseProxy); clip.yank(id);
assertEq(engine.urnAuctions(urn), 0);
//pauseProxy transfers the accounting of gem token to urn, then we can test free
vm.prank(pauseProxy);
dss.vat.frob(ilk, urn, pauseProxy,address(0), int256(lot), 0);
//will revert for free Mkr on engin, But it should be sucess.
engine.free(urn, pauseProxy, lot);
}
add this code in LockstakeEngine.t.sol
then run forge test --mt testClipperYankRevert4FreeMkr -vvv
will get:
Per the contest readme:
"Using yank() in the lockstake clipper is assumed to only happen as part of a shutdown procedure. Since this is out of scope, it is assumed not to happen."
ZeroTrust
Medium
The administrator calling yank() will result in MKR being permanently locked in the LockstakeEngine.
Summary
In the LockstakeClipper.sol::yank() function, the lack of lsmkr.mint() will result in MKR being permanently locked in the LockstakeEngine.
Root Cause
https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeClipper.sol#L476
In the yank() function, we can see that only the accounting of the collateral is transferred to msg.sender. However, MKR is neither transferred to msg.sender nor is lsmkr minted to msg.sender. This will result in msg.sender being unable to withdraw MKR from the LockstakeEngine. Let’s take a look at the LockstakeEngine::free() function.
https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeEngine.sol#L340
https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeEngine.sol#L360C3-L378C6
It can be seen that due to the lack of lsmkr token, _free() will revert, causing free() to also revert. As a result, msg.sender will never receive the MKR they are entitled to, and the MKR will be permanently locked in the LockstakeEngine. msg.sender only receives the accounting of the collateral, but not the collateral itself, and cannot extract the collateral.
Internal pre-conditions
To remove the liquidated auction, use the yank function.
External pre-conditions
Attack Path
Impact
The liquidated MKR is permanently locked in the LockstakeEngine, leading to a loss of funds.
PoC
add this code in LockstakeEngine.t.sol then run
forge test --mt testClipperYankRevert4FreeMkr -vvv
will get:Mitigation