USDS borrowers can prevent liquidation by periodically touching their liquidities #363

c4-bot-1 · 2024-01-28T11:16:42Z

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/stable/CollateralAndLiquidity.sol#L154

Vulnerability details

Impact

In current implementation, liquidation would fail while borrowers are in operation cool down. Users could periodically add negligible liquidity to keep in cool down and prevent liquidation in realistic time range such as some days.

Proof of Concept

The issue arises on L154 of liquidateUser() function, the last parameter useCooldown is set to true, this would trigger revert on L107 if the user being liquidated is under cooldown.

File: src\stable\CollateralAndLiquidity.sol
140: 	function liquidateUser( address wallet ) external nonReentrant
141: 		{
...
154: 		_decreaseUserShare( wallet, collateralPoolID, userCollateralAmount, true ); // @audit true => false
...
188: 		}

File: src\staking\StakingRewards.sol
097: 	function _decreaseUserShare( address wallet, bytes32 poolID, uint256 decreaseShareAmount, bool useCooldown ) internal
098: 		{
...
104: 		if ( useCooldown )
105: 		if ( msg.sender != address(exchangeConfig.dao()) ) // DAO doesn't use the cooldown
106: 			{
107: 			require( block.timestamp >= user.cooldownExpiration, "Must wait for the cooldown to expire" );
108: 
109: 			// Update the cooldown expiration for future transactions
110: 			user.cooldownExpiration = block.timestamp + stakingConfig.modificationCooldown();
111: 			}
...
140: 		}

Now, let's say the WBTC or WETH price quickly fall and make some users' collateral value decreasing to near liquidation threshold. Users could add negligible liquidity to refresh coolDown time rather than increasing liquidity or repaying USDS to prevent liquidation. To be even worse, users could try to refresh coolDown repeatedly. This would significantly increase depeg risk of USDS in such market situation.

Tools Used

Manually review

Recommended Mitigation Steps

See PoC

Assessed type

Error

The text was updated successfully, but these errors were encountered:

c4-judge · 2024-01-31T22:44:45Z

Picodes marked the issue as duplicate of #891

c4-judge · 2024-02-21T16:13:54Z

Picodes marked the issue as satisfactory

c4-judge · 2024-02-21T16:14:01Z

Picodes changed the severity to 3 (High Risk)

c4-bot-1 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jan 28, 2024

c4-bot-9 added a commit that referenced this issue Jan 28, 2024

KingNFT issue #363

a9e00c7

c4-judge closed this as completed Jan 31, 2024

c4-judge added the duplicate-891 label Jan 31, 2024

c4-judge added duplicate-312 and removed duplicate-891 labels Jan 31, 2024

c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Feb 21, 2024

c4-judge added 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Feb 21, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

USDS borrowers can prevent liquidation by periodically touching their liquidities #363

USDS borrowers can prevent liquidation by periodically touching their liquidities #363

c4-bot-1 commented Jan 28, 2024

c4-judge commented Jan 31, 2024

c4-judge commented Feb 21, 2024

c4-judge commented Feb 21, 2024

USDS borrowers can prevent liquidation by periodically touching their liquidities #363

USDS borrowers can prevent liquidation by periodically touching their liquidities #363

Comments

c4-bot-1 commented Jan 28, 2024

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

c4-judge commented Jan 31, 2024

c4-judge commented Feb 21, 2024

c4-judge commented Feb 21, 2024