Back to CaeraDenoir's contests

Salty.IO - CaeraDenoir's results

An Ethereum-based DEX with zero swap fees, yield-generating Automatic Arbitrage, and a native WBTC/WETH backed stablecoin.

General Information

Platform: Code4rena

Start Date: 16/01/2024

Pot Size: $80,000 USDC

Total HM: 37

Participants: 178

Period: 14 days

Judge: Picodes

Total Solo HM: 4

Id: 320

League: ETH

Salty.IO

Findings Distribution

Researcher Performance

Rank: 175/178

Findings: 1

Award: $0.78

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositorySalty.IO

Findings Information

🌟 Selected for report: 0xbepresent

Also found by: 00xSEV, 0xAlix2, 0xAsen, 0xBinChook, 0xCiphky, 0xRobocop, 0xanmol, 0xlemon, 0xpiken, Arz, Audinarey, Auditwolf, Aymen0909, Banditx0x, CaeraDenoir, DanielArmstrong, Draiakoo, HALITUS, Infect3d, J4X, Jorgect, Kalyan-Singh, KingNFT, Krace, PENGUN, Toshii, Udsen, ayden, b0g0, c0pp3rscr3w3r, developerjordy, djxploit, erosjohn, holydevoti0n, iamandreiski, israeladelaja, juancito, klau5, lanrebayode77, memforvik, mussucal, n0kto, novodelta, pkqs90, solmaxis69, stackachu, twcctop, zhaojie, zhaojohnson

Awards

0.7809 USDC - $0.78

Labels

bug
3 (High Risk)
satisfactory
duplicate-312

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/stable/CollateralAndLiquidity.sol#L154

Vulnerability details

[H] Shared cooldown in Liquidity:_decreaseUserShares() and Liquidity:_increaseUserShares() makes CollateralAndLiquidity:liquidateUser() revert when Liquidity:_decreaseUserShare() is called

Description: The usage of the same cooldown in Liquidity:_decreaseUserShare() and StakingRewards:_increaseUserShares() makes posible for a bad actor who should be liquidated to avoid his liquidation.

The attacker could frontrun the CollateralAndLiquidity:liquidateUser() transaction, triggering the cooldown by calling CollateralAndLiquidity:depositCollateralAndIncreaseShare(). Since the new cooldown would be block.timestamp plus modificationCooldown, CollateralAndLiquidity:liquidateUser() would revert when StakingRewards:_decreaseUserShare() is called.

Impact: Allows a borrower to keep an undercolletarized position.

Proof of Concept:

1.Bob deposits U$D 2500 worth of collateral. (Min needed to borrow by default)

Bob's collateral: U$D 2500

2.Bob borrows U$D 1250 worth of USDS. (Max borrow with default ratio)

Bob's collateral: U$D 2500
Bob's borrowed: U$D 1250
Bob collateralization ratio: 200%

3.Bob's position tanks to half it's original value, making his position only 100% collateralized. He can be liquidated.

Bob's collateral: U$D 1250
Bob's borrowed: U$D 1250
Bob collateralization ratio: 100%

4.Bob notices and upfronts deposit collateral above the minimum deposit value.

Bob's collateral: U$D 1250 + min amount
Bob's borrowed: U$D 1250
Bob collateralization ratio: 100% + min amount%

5.Alice calls liquidateUser on Bob.

  • Expected result:
Bob's collateral: 0
Bob's borrowed: U$D 1250
Alice gets 5%(default percentage) collateral of Bob's collateral (U$D 1250 * 5% = U$D 62.5)
  • Actual result: Transaction reverts due to cooldown on _increaseUserShares() called by de depositCollateralAndIncreaseShare() by Bob.
Bob's collateral: U$D 1250 + min amount
Bob's borrowed: U$D 1250
Bob collateralization ratio: 100% + min amount%

Recommended Mitigation: depositCollateralAndIncreaseShare() can check if the user is liquidable, and if it is, need the minimum collateral to be deposited to heal the position.

Assessed type

DoS

#0 - c4-judge

2024-01-31T22:42:47Z

Picodes marked the issue as duplicate of #891

#1 - c4-judge

2024-02-21T16:13:21Z

Picodes marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter