Platform: Code4rena
Start Date: 25/10/2022
Pot Size: $50,000 USDC
Total HM: 18
Participants: 127
Period: 5 days
Judge: 0xean
Total Solo HM: 9
Id: 175
League: ETH
Rank: 37/127
Findings: 1
Award: $156.27
🌟 Selected for report: 0
🚀 Solo Findings: 0
156.2673 USDC - $156.27
forceReplenish could be frontran to avoid paying interests, so a malicious user could avoid paying any interest by "transferring" its position to a clean address.
Imagine the following scenario:
DOLA and has no DBRforceReplenish or whenever she thinks it would be profitable to do so, with a clean address ad in a single transaction Alice
DOLArepay and withdrawOnBehalf to clean the position of her first addressDOLAAt this point Alice has a balance of DBR of 0 with her new address, and she don't care about the previous one as there is no collateral in it anymore. So she avoided paying interests for this period.
Disclaimer: this could not be profitable for Alice depending on the rewards and the frequency of forceReplenish calls. But at least this should lead to a loss of funds for the protocol and keepers.
Check when withdrawing that the user does not have a negative DBR balance
#0 - 08xmt
2022-11-10T03:21:17Z
Combination of https://github.com/code-423n4/2022-10-inverse-findings/issues/208 and https://github.com/code-423n4/2022-10-inverse-findings/issues/401, since #208 is not considered a problem, I'd say it's mainly a variation of #401
#1 - 08xmt
2022-11-25T11:15:47Z
#2 - c4-sponsor
2022-11-25T11:24:50Z
08xmt marked the issue as sponsor confirmed
#3 - c4-judge
2022-11-28T16:26:45Z
0xean marked the issue as duplicate of #401
#4 - Simon-Busch
2022-12-05T15:15:55Z
Marked satisfactory as requested by @0xean
#5 - c4-judge
2022-12-06T00:03:03Z
0xean changed the severity to 2 (Med Risk)
#6 - c4-judge
2022-12-07T08:16:07Z
Simon-Busch marked the issue as duplicate of #583