search

sherlock-audit / 2024-08-sentiment-v2-judging

5 stars 5 forks source link

hash - Setting `minDebt` and `minBorrow` to low values can cause protocol to accrue bad debt #572

Open sherlock-admin2 opened 3 months ago

sherlock-admin2 commented 3 months ago

hash

Medium

Setting minDebt and minBorrow to low values can cause protocol to accrue bad debt

Summary

Setting minDebt and minBorrow to low values can cause protocol to accrue bad debt as liquidators won't find enough incentive in clearing the low debt and also depending on the price, users may be able to borrow dust without providing collateral

Vulnerability Detail

minDebt and minBorrow are supposed to be settable from 0

link

Min Debt = from 0 to 0.05 ETH = from 0 to 50000000000000000
Min Borrow = from 0 to 0.05 ETH = from 0 to 50000000000000000

Setting these to low values will allow positions to be created with low debts and liquidations won't happen on small positions due to it not generating enough profit to cover the costs of the liquidator. This will cause the protocol to accure bad debt. Also if both are set to dust, the roundings will become significant and allows one to borrow dust amounts without proper collateral. Eg, if both are set to 0 and the price of assets is less than that of eth, the borrowing 1 wei of the assets will require no collateral as the value in eth will be rounded to 0

Impact

Protocol can accrue bad debt leading to depositors loosing their assets in case the values are set low

Code Snippet

https://github.com/sherlock-audit/2024-08-sentiment-v2/tree/main?tab=readme-ov-file#q-are-there-any-limitations-on-values-set-by-admins-or-other-roles-in-the-codebase-including-restrictions-on-array-lengths

Tool used

Manual Review

Recommendation

Ensure the minDebt,minBorrow values are not decreased below a certain threshold

z3s commented 2 months ago

Admin won't set minDebt and/or minBorrow to zero

serial-coder commented 2 months ago

I cannot escalate the issue due to insufficient escalation threshold

Hi @z3s,

Your statement is not true:

Admin won't set minDebt and/or minBorrow to zero

Please refer to the following excerpts from the contest public channel.

Furthermore, the "Sponsor Confirmed" tag also confirms that the sponsor considers this issue valid.

Thanks for your time.

kazantseff commented 2 months ago

Escalate, per the above comment

sherlock-admin3 commented 2 months ago

Escalate, per the above comment

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

cvetanovv commented 2 months ago

I agree with the escalation.

In the Readme, we have values that the TRUSTED admin will set. That is exactly the purpose of this question in the Readme: https://github.com/sherlock-audit/2024-08-sentiment-v2?tab=readme-ov-file#q-are-there-any-limitations-on-values-set-by-admins-or-other-roles-in-the-codebase-including-restrictions-on-array-lengths

There we can see that the admin will use low values for Min Debt and Min Borrow:

Min Debt = from 0 to 0.05 ETH Min Borrow = from 0 to 0.05 ETH

If low values are set for minDebt and minBorrow, a liquidator will have no incentive to liquidate the position. This means that the protocol can accrue bad debt.

Planning to accept the escalation and make this issue a Medium severity.

WangSecurity commented 2 months ago

Result: Medium Has duplicates

sherlock-admin4 commented 2 months ago

Escalations have been resolved successfully!

Escalation status:

AlexCZM commented 1 month ago

Note to @cvetanovv: https://github.com/sherlock-audit/2024-08-sentiment-v2-judging/issues/181 is a duplicate. Moreover that issue has a more complete description and I propose to make it the main issue.

cvetanovv commented 1 month ago

@AlexCZM I agree that #181 is a duplicate of this issue and will duplicate it.