Platform: Code4rena
Start Date: 24/10/2023
Pot Size: $149,725 USDC
Total HM: 7
Participants: 52
Period: 21 days
Judge: ronnyx2017
Total Solo HM: 2
Id: 300
League: ETH
Rank: 12/52
Findings: 1
Award: $810.99
🌟 Selected for report: 0
🚀 Solo Findings: 0
810.9886 USDC - $810.99
https://github/code-423n4/2023-10-badger/blob/main/packages/contracts/contracts/CdpManager.sol#L320
Attacker with enough eBTC can lower the system's TCR below MCR using CdpMananger.sol#redeemCollateral function. This will block other users redemptions due to the system's logic. If this happens, to recover the system there has to be a borrower creates Cdp with lots of collateral or add lots of collateral to existing Cdp. But this is loss in perspective of borrower.
Even if isRecoveryMode is true, with CdpManager.sol#redeemCollateral functoin, the malicious user can lower the TCR below MCR.
File: packages/contracts/contracts/CdpManager.sol 350: _requireTCRisNotBelowMCR(totals.price, totals.tcrAtStart);
At L350 there is a check for TCR being higher than MCR. However there is no check for TCR after redeeming. This will lead the system delinquent and will block further redemptions.
Manual Review
Need to correct CdpManager.sol#redeemCollateral function to check TCR after the redemption.
458: totals.collSharesToRedeemer = totals.collSharesDrawn - totals.feeCollShares; 459+: uint256 newTotalCollShare = totals.systemCollSharesAtStart - totals.collSharesDrawn - totals.totalCollSharesSurplus; 460+: uint256 newTotalDebt = totals.systemDebtAtStart - totals.debtToRedeem; 461+: uint256 newSthEthBalance = collateral.getPooledEthByshares(new TotalCollShare); 462+: uint256 newTCR = EbtcMath._computeCR(newStEthBalance.newTotalDebt, _price); 463+: _requireTCRRisNotBelowMCR(total.price, totals.newTCR); 464+: _syncGracePeriodForGivenValues( 465+: newTotalCollShare, 466+: newTotalDebt, 467+: totals.price 468+); 460-: _syncGracePeriodForGivenValues( 461-: totals.systemCollSharesAtStart - totals.collSharesDrawn - totals.totalCollSharesSurplus, 462-: totals.systemDebtAtStart - totals.debtToRedeem, 463-: totals.price 464-: );
Invalid Validation
#0 - c4-pre-sort
2023-11-16T07:55:21Z
bytes032 marked the issue as insufficient quality report
#1 - jhsagd76
2023-11-25T08:10:03Z
in consideration of sortedCdps and base fee rate update, this type of attack more likely to result in a donation to the protocal than a loss.
pls provide a poc test to prove it really works.
#2 - c4-judge
2023-11-25T08:10:17Z
jhsagd76 marked the issue as unsatisfactory: Insufficient proof
#3 - c4-judge
2023-11-26T00:51:49Z
jhsagd76 marked the issue as duplicate of #199
#4 - c4-judge
2023-11-26T01:06:27Z
jhsagd76 changed the severity to QA (Quality Assurance)
#5 - c4-judge
2023-11-26T01:06:57Z
jhsagd76 marked the issue as grade-a
#6 - c4-judge
2023-11-28T06:30:02Z
jhsagd76 marked the issue as grade-c
#7 - c4-judge
2023-12-07T02:34:16Z
This previously downgraded issue has been upgraded by jhsagd76
#8 - jhsagd76
2023-12-07T02:47:52Z
It did not identify the key issue and impact, and insufficient poc. So 25%
#9 - c4-judge
2023-12-07T02:48:00Z
jhsagd76 marked the issue as partial-25