Inverse Finance contest - catchup's results

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L605-L610

Vulnerability details

Impact

When a user debt is liquidated, if the escrow balance is less than the liquidation fee, no fee is paid.

605:         if(liquidationFeeBps > 0) {
606:             uint liquidationFee = repaidDebt * 1 ether / price * liquidationFeeBps / 10000;
607:             if(escrow.balance() >= liquidationFee) {
608:                 escrow.pay(gov, liquidationFee);
609:             }
610:         }

However, escrow balance can be deducted as liquidation fee in that case. Governance is missing out on the fees it can collect.

Tools Used

Manual review

Recommended Mitigation Steps

Change the above code block as:

605:         if(liquidationFeeBps > 0) {
606:             uint liquidationFee = repaidDebt * 1 ether / price * liquidationFeeBps / 10000;
607:             if(escrow.balance() >= liquidationFee) {
608:                 escrow.pay(gov, liquidationFee);
609:             }
610:             else {
611:             	escrow.pay(gov, escrow.balance());
612:             }
613:         }

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/main/src/DBR.sol#L78-L84 https://github.com/code-423n4/2022-10-inverse/blob/main/src/DBR.sol#L349-L352

Vulnerability details

Impact

The operator can add as many minter addresses as he/she wants.

81:     function addMinter(address minter_) public onlyOperator {
82:         minters[minter_] = true;        //@audit-issue medium unlimited number of minters can be added. centralisation risk.  a compromised minter can overinflate the DBR.
83:         emit AddMinter(minter_);
84:     }

I believe this presents an important risk as if one of these minter addresses is compromised, unlimited number of DBR can be minted.

Tools Used

Manual review

Recommended Mitigation Steps

Consider giving the minter role to only the operator, or have just a single minter rather than multiple.

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol#L6 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol#L82 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol#L16

Vulnerability details

Impact

The Chainlink API latestAnswer used in Oracle.sol is deprecated. Please check the link. This function returns 0 when there is no data rather than giving out error. Also Chainlink may stop supporting the deprecated API one day. In that case prices will not be able to be obtained.

Tools Used

Manual review

Recommended Mitigation Steps

Use the latestRoundData function to get the price instead. Add checks on the return data with proper revert messages if the price is stale or the round is uncomplete, for example:

(uint80 roundID, int256 price, , uint256 timeStamp, uint80 answeredInRound) = priceOracle.latestRoundData();
require(answeredInRound >= roundID, "...");
require(timeStamp != 0, "...");