Platform: Code4rena
Start Date: 09/12/2022
Pot Size: $36,500 USDC
Total HM: 9
Participants: 69
Period: 3 days
Judge: Picodes
Total Solo HM: 2
Id: 190
League: ETH
Rank: 51/69
Findings: 1
Award: $28.12
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: 0Kage, 0x52, 0xAgro, 0xNazgul, 0xTraub, 0xhacksmithh, Awesome, Aymen0909, Bnke0x0, Englave, Janio, Mukund, Parth, RaymondFam, Rolezn, SmartSek, Tointer, UdarTeam, Udsen, Zarf, caventa, chaduke, csanuragjain, deliriusz, gz627, idkwhatimdoing, izhelyazkov, joestakey, neumo, obront, oyc_109, rvierdiiev, shark, trustindistrust, wait, yongskiws
28.124 USDC - $28.12
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/Collateral.sol#L65 https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/Collateral.sol#L80
In the Collateral.sol contract, there is a possibility to withdraw the base token using the managerWithdraw function. This withdrawal are limited by the ManagerWithdrawHook.sol contract. However, in ManagerWithdrawHook.sol, minReservePercentage can be set to anything from 0 to 100, which means that we are accepting the possibility of having a collateral token that is not fully backed.
But in a scenario where the collateral token is not fully backed, it is rational for users to withdraw their funds immediately, since there would not be enough base asset to go around. This creates a race, where the fastest users will be made whole, while the slowest will get nothing and lose their funds entirely.
There are multiple approaches to addressing this issue:
Set minReservePercentage to always be equal to 100. Optionally, create a function that would withdraw all funds in case of an emergency, so that the collateral is either 0% or >= 100% backed.
Create a withdraw function similar to the one in the ERC-4626 vault, where users get their share of the underlying asset. This will allow for an undercollaterized vault, while still distributing the base asset fairly among users.
#0 - hansfriese
2022-12-14T18:13:04Z
duplicate of #254
#1 - Picodes
2022-12-17T10:07:29Z
There is currently this possibility: in case the contract is under collateralized, the manager can withdraw the funds and do a fair settlement. It would indeed be better than a bank run scenario. This falls within QA to me as it's more an interesting suggestion than a vulnerability.
#2 - c4-judge
2022-12-17T10:07:38Z
Picodes changed the severity to QA (Quality Assurance)
#3 - c4-judge
2022-12-19T14:23:23Z
Picodes marked the issue as grade-b
#4 - c4-judge
2022-12-19T14:23:39Z
Picodes marked the issue as grade-a
#5 - ramenforbreakfast
2022-12-21T23:55:39Z
While this scenario is correct, it is how the Collateral architecture is designed, it is a fractional reserve system that is subject to all the limitations of a fractional reserve sort of architecture, where there is significant trust on the entity responsible for liabilities (customer deposits).
Going to dispute, since returning users a share of the underlying asset would be a completely different reserve/liability model.
#6 - c4-sponsor
2022-12-21T23:55:43Z
ramenforbreakfast marked the issue as sponsor disputed
#7 - c4-judge
2023-01-07T18:06:21Z
Picodes marked the issue as grade-b
#8 - Picodes
2023-01-07T18:08:25Z
I'll accept the report as a grade-b QA report, as the warden is not really suggesting to totally change the system, but more highlighting the fact that it could provide an additional layer of safety for users to have some automatic pausing in case there is a loss of funds