Overlay Protocol contest - nathaniel's results

Handle

nathaniel

Vulnerability details

Impact

The highly privileged Governor role gives access to the setMarketInfo function in overlayV1OVLCollateral.sol. In this function, the caller can arbitrarily change the marginMaintenance and the marginRewardRate for any market. They can increase the marginMaintenance to a very high value such that all positions are liquidatable, and increase the marginRewardRate to 100% such that upon calling the liquidate function, it will liquidate the entire value of the position and reward it to the liquidator (to themself).

Proof of Concept

https://github.com/code-423n4/2021-11-overlay/blob/main/contracts/collateral/OverlayV1OVLCollateral.sol#L94-L105 https://github.com/code-423n4/2021-11-overlay/blob/main/contracts/collateral/OverlayV1OVLCollateral.sol#L379 https://github.com/code-423n4/2021-11-overlay/blob/main/contracts/collateral/OverlayV1OVLCollateral.sol#L401 https://github.com/code-423n4/2021-11-overlay/blob/main/contracts/collateral/OverlayV1OVLCollateral.sol#L413

Tools Used

manual

Recommended Mitigation Steps

• Governor role should be assigned to a DAO like entity to require consensus to allow change to critical configurations.
• Apply boundary restrictions (min and max values) on the values that can be changed. Utilise the MIN/MAX_MARGIN_MAINTENANCE values in the OverlayV1Mothership.sol.