Platform: Code4rena
Start Date: 11/12/2023
Pot Size: $90,500 USDC
Total HM: 29
Participants: 127
Period: 17 days
Judge: TrungOre
Total Solo HM: 4
Id: 310
League: ETH
Rank: 45/127
Findings: 1
Award: $299.13
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Cosine
Also found by: Byteblockers, HighDuty, OMEN
299.1321 USDC - $299.13
gauge whale staking will be gone cause of block stuffing .
In auction , there is two phases ,In first one phase , auction house asked full credit for debt and offered collateral based on time passed . In second phase , auction house offer full collateral and reduced credit asked based on time passed .
ATTACK SCENARION
In first phase , auction house will send back some collateral to borrower for sure .If malicious borrower can make transaction revert , there will be no bid happen in first phase .To be reverted , malicious collateral is needed to call back to malicious borrower (malicious collateral must implement call back when transfer ). If malicious borrower can onboard lending term with that malicious collateral which has upgradable proxy , malicious borrower can make transaction revert that call back to him.
function onBid( bytes32 loanId, address bidder, uint256 collateralToBorrower, uint256 collateralToBidder, uint256 creditFromBidder ) external { ..../ //*@audit-info ------->>> user contract can make it revert if (collateralToBorrower != 0) { IERC20(params.collateralToken).safeTransfer( loans[loanId].borrower, collateralToBorrower ); } }
In second phase , malicious user can do block stuffing for a few seconds, there will be loss incurred in notifyPnl , And notifyGaugeloss is also triggered ,This will cause user stake got slashed .
In case , gauge whale see that debt in auction and try to bit it , That's why implemented block stuffing for second phase .
In arbitrum , gas fee is really low and block stuffing is possible . https://arxiv.org/pdf/2307.14773.pdf
This attack is really great when whales stake a lot of guage in that lending term .
manual view
partial slashing is best way i guess , not all weight slashing
DoS
#0 - 0xSorryNotSorry
2024-01-02T21:43:23Z
The submission does not provide any demonstration of the issue, reasoning and code blocks.
#1 - c4-pre-sort
2024-01-02T21:43:28Z
0xSorryNotSorry marked the issue as insufficient quality report
#2 - c4-judge
2024-01-24T21:34:48Z
Trumpero marked the issue as unsatisfactory: Insufficient quality
#3 - irving4444
2024-02-03T11:45:46Z
@Trumpero Could you pls check this report again?I did mention malicious collateral that will call back to attacker during first phase to revert the transaction and for second phase ,block stuffing attack will be happen . This report is also almost same as #685 .
#4 - Trumpero
2024-02-08T16:07:36Z
@irving4444 Agree that this should be a dup of #685, but should receive only 50% partial credit due to the lack of quality.
#5 - c4-judge
2024-02-08T16:08:12Z
Trumpero marked the issue as duplicate of #685
#6 - c4-judge
2024-02-08T16:08:16Z
Trumpero marked the issue as satisfactory
#7 - c4-judge
2024-02-08T16:09:49Z
Trumpero marked the issue as partial-50
#8 - c4-judge
2024-02-08T18:29:55Z
Trumpero changed the severity to 2 (Med Risk)