Back to Beepidibop's contests

Ethereum Credit Guild - Beepidibop's results

A trust minimized pooled lending protocol.

General Information

Platform: Code4rena

Start Date: 11/12/2023

Pot Size: $90,500 USDC

Total HM: 29

Participants: 127

Period: 17 days

Judge: TrungOre

Total Solo HM: 4

Id: 310

League: ETH

Ethereum Credit Guild

Findings Distribution

Researcher Performance

Rank: 62/127

Findings: 1

Award: $196.26

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryEthereum Credit Guild

Findings Information

🌟 Selected for report: sl1

Also found by: 0x70C9, 0xDemon, Aymen0909, Beepidibop, Tendency, carrotsmuggler, glorySec

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
sufficient quality report
edited-by-warden
duplicate-1057

Awards

196.2606 USDC - $196.26

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L652-L656 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L237 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/AuctionHouse.sol#L84-L87 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L738

Vulnerability details

[H-1] LendingTerm: Cannot Liquidate Loans that Are Underwater

_call(), which starts the auction for each loanId, doesn't allow liquidating an underwater position.

A position can max borrow and go over its borrow limit within 1 block, but _call() won't be able to liquidate the position since the gauge isn't deprecated and partialRepayDelayPassed() doesn't return false, which will make the tx revert. It also doesn't check if debt is actually within maxBorrow before this revert.

Other scenarios can happen which make positions underwater, such as when a liquidation happens and decreases creditMultiplier, which increases all borrowers' principal.

The governance also can't liquidate the loanId by using emergencyAction(). Since AuctionHouse.startAuction() requires loan.callTime == block.timestamp and onBid() requires the loan to not be closed with loans[loanId].closeTime == 0, governance actions such as forgive() won't be able to start an auction either.

Recommendation

Calculate interest and check if interest+principal>maxBorrow before require( isDeprecatedGuage() || partialrepayDelayPassed() )

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L652-L656 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L237 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/AuctionHouse.sol#L84-L87 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L738

Assessed type

Invalid Validation

#0 - c4-pre-sort

2024-01-03T11:33:47Z

0xSorryNotSorry marked the issue as sufficient quality report

#1 - c4-pre-sort

2024-01-03T11:34:04Z

0xSorryNotSorry marked the issue as duplicate of #153

#2 - c4-judge

2024-01-26T12:31:50Z

Trumpero marked the issue as not a duplicate

#3 - c4-judge

2024-01-26T12:32:01Z

Trumpero marked the issue as duplicate of #1057

#4 - c4-judge

2024-01-26T12:51:31Z

Trumpero marked the issue as satisfactory

#5 - c4-judge

2024-01-31T13:42:20Z

Trumpero changed the severity to 2 (Med Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter