Revert Lend - n1punp's results

0xEVom marked the issue as sufficient quality report

0xEVom marked the issue as primary issue

Medium severity due to external assumptions.

Related: #223

Initial thoughts: There is another parameter which is TWAP period which we plan to set much lower than for example compound to react faster to price changes. Of course there is still the same risk but it is much smaller. Because we use TWAP only to verify prices the period may be lower, as manipulation only leads to temporary disabled liquidations.

"This means users will not be able to modify any of the positions" - this is not 100% true. You may always repay positions

There seem to be a few misunderstandings regarding how our protocol works that make this report invalid.

1. "Hence, if the price diff is set too small, then the V3Oracle will revert. This means users will not be able to modify any of the positions, including liquidators." Important to note that what would revert in that case would be liquidations and new loans, existing loans would be able to settle any outstanding debt.
2. "If price continues to rally, then this can end up with bad debt into the system due to underwater positions" A lending asset will only be 1 stablecoin, and any rally in the whitelisted collateral assets would not put the protocol at risk of bad debt.
3. "(see CompoundV2's case here: https://twitter.com/ChainLinkGod/status/1761061618983841828. This event has caused $3m bad debt to Compound v2 since TWAP did not catch up, causing oracle reverts during the UNI price pump)."

The case of Compound is different in a few important ways:

1. When their oracle sees a price deviation, it ignores the latest price and continues functioning with an outdated stale price. Revert Lend instead stops any new loans or liquidations until the deviation in prices seen by the oracle is corrected.
2. Compound allows for the borrowing of volatile assets, Revert Lend only allows for borrowing of a stablecoin.

What happened with the UNI example with Compound

1. Price increase on UNI suddenly and drastically and chainlink feed had the correct price but univ3 TWAP is outdated
2. Compound ignores the new reported prices and continues operating with the outdated price
3. Exploiters take out UNI loans with less collateral that should be possible at correct prices
4. Protocol accrues bad debt.

What would have happened to Revert Lend:

1. Price increase on UNI suddenly and drastically and chainlink feed had the correct price but univ3 TWAP is outdated
2. Revert lend pauses any new loans and liquidations
3. Borrowers with UNI collateral now have healthier positions.
4. No new borrows or liquidations are possible until the TWAP catches up with the chainlink price (e.g. 1 minute)
5. All good.

While it's true that there is a risk where in the inverse case, when the price of a collateral asset crashes suddenly and the TWAP price lags, liquidations will be halted potentially putting the protocol in a bad debt state for a subset of positions. We believe this an acceptable trade-off given our TWAP period length, and collateral asset caps, in order to not solely depend on chainlink as the only price source. You will notice that, for example Maker, has a longer threshold for price updates than our TWAP period.

mariorz (sponsor) disputed

I believe that the warden, the sponsor, myself have no technical misunderstanding regarding this issue, and I don't think it meets the criteria for an H/M severity level.

For an H severity, the rules require the issue to be able to cause definite loss to the protocol without harsh preconditions. This issue has very rare preconditions and clearly does not meet the standard for high severity.

Secondly, for an M level, we require the issue to cause a functional disruption to the protocol. We all understand that TWAP is designed to work this way, and the sponsor has also explained that their use of and the risks associated with TWAP are completely in line with expectations and design. Therefore, I don't believe it really breaks any functionality.

jhsagd76 changed the severity to QA (Quality Assurance)

N

jhsagd76 marked the issue as grade-b