search

sherlock-audit / 2024-08-flayer-judging

0 stars 0 forks source link

Obedient Flaxen Peacock - Anyone can block collection shutdown execution and lock up voters' tokens and prevent them from claiming ETH shares #768

Open sherlock-admin4 opened 4 days ago

sherlock-admin4 commented 4 days ago

Obedient Flaxen Peacock

High

Anyone can block collection shutdown execution and lock up voters' tokens and prevent them from claiming ETH shares

Summary

Anyone can still create a listing or a protected listing for a collection that has reached quorum for shutdown. There are no checks that prevent this.

However, shutdown can not be executed while listings exist.

Root Cause

Allowing creation of new listings or protected listings when shutdown of a collection has already started or executed can prevent shutdown from executing indefinitely.

Internal pre-conditions

  1. Collection shutdown has reached quorum.

External pre-conditions

None

Attack Path

  1. Shutdown can be executed since voter quorum has been reached. However, it can be blocked by anyone who creates a listing or protected listing.
  2. Attacker creates a protected listing for the target collection only borrowing 1 fToken. Since it is a protected listing, it can only be liquidated once collateral has run out. For collateral to run out, the unlockPrice must be greater than 0.95e18. However, a collateral of 1 will only compound to 8 after 10 years with a utilization rate of 80%.
  3. The attacker has blocked the collection shutdown for an indefinite period.

Impact

The shutdown voters lose their collection tokens and NFTs for an indefinite period. The cost of locking up the attacker's NFT for 10 years is only 4-10 fTokens (dust amounts).

PoC

The following test can be added to TaxCalculator.t.sol. 

function test_Compounding() public view {
    uint compoundedFactor = taxCalculator.calculateCompoundedFactor(1e18, 0.8 ether, 10 * 365 days);
    compoundedFactor = compoundedFactor * 1e18 / 1e18;
    // @audit the below code simulates `TaxCalculator::compound()`
    uint compoundedAmount = 1 * compoundedFactor / 1e18;
    console.log("Compounded Amount: ", compoundedAmount);
}

The test shows that the compounded amount for a principal/collateral of 1 with a utilization rate of 80% and a duration of 10 years is only 8.

Mitigation

No response