yAxis contest - harleythedog's results

Handle

harleythedog

Vulnerability details

Impact

Within CDP.sol (https://github.com/code-423n4/2021-11-yaxis/blob/main/contracts/v3/alchemix/libraries/alchemist/CDP.sol) there is a function called update. This function slowly decreases the debt of a position as yield is earned, until the debt is fully paid off, and the idea is then that the credit should begin incrementing as more yield is accumulated. However, the current logic to increment the totalCredit is this line of code (line 39 of CDP.sol):

_self.totalCredit = _earnedYield.sub(_currentTotalDebt);

Notice that that each time update is called, this overwrites the previous totalCredit with the incremental credit accumulated. The line should instead be:

_self.totalCredit = _self.totalCredit.add(_earnedYield.sub(_currentTotalDebt));

Indeed, look at the function getUpdatedTotalCredit, it returns the value:

_self.totalCredit + (_unclaimedYield - _currentTotalDebt);

So it is obviously intended that the totalCredit should keep increasing over time instead of being overwritten on each update with a small value. The impact of this issue is large - the credit of every position will always be overwritten and the correct information will be lost forever. User's credit should grow over time, but instead it is overwritten with a small value every time update is called.

Proof of Concept

See line 39 in CDP.sol here: https://github.com/code-423n4/2021-11-yaxis/blob/main/contracts/v3/alchemix/libraries/alchemist/CDP.sol#:~:text=_self.totalCredit%20%3D%20_earnedYield.sub(_currentTotalDebt)%3B

Tools Used

Manual inspection.

Recommended Mitigation Steps

Change code as described above to increment totalCredit instead of overwrite it.