Back to neocrao's contests

Ethereum Credit Guild - neocrao's results

A trust minimized pooled lending protocol.

General Information

Platform: Code4rena

Start Date: 11/12/2023

Pot Size: $90,500 USDC

Total HM: 29

Participants: 127

Period: 17 days

Judge: TrungOre

Total Solo HM: 4

Id: 310

League: ETH

Ethereum Credit Guild

Findings Distribution

Researcher Performance

Rank: 93/127

Findings: 1

Award: $39.54

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryEthereum Credit Guild

Findings Information

🌟 Selected for report: neocrao

Also found by: 0xStalin, Aymen0909, Byteblockers, Chinmay, The-Seraphs, TheSchnilch, Timenov, Varun_05, ether_sky, kaden, mojito_auditor, mussucal, nonseodion, rbserver, santipu_, thank_you, twcctop

Awards

39.5384 USDC - $39.54

Labels

bug
2 (Med Risk)
primary issue
satisfactory
selected for report
sponsor confirmed
sufficient quality report
M-15

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L323-L330

Vulnerability details

Description

The LendingTerm::debtCeiling() function calculates the min of creditMinterBuffer, _debtCeiling and _hardCap as shown below:

// return min(creditMinterBuffer, hardCap, debtCeiling)
if (creditMinterBuffer < _debtCeiling) {
    return creditMinterBuffer;
}
if (_hardCap < _debtCeiling) {
    return _hardCap;
}
return _debtCeiling;

However, the above minimum logic is flawed, as it does not always return the minimum of the 3 values.

Impact

As the min() calculation is not correct, the LendingTerm::debtCeiling() might return the incorrect value, and so might return a higher debt ceiling rather than the actual debt ceiling as the function should be returning.

LendingTerm::debtCeiling() is used in GuildToken::_decrementGaugeWeight(), which will will make this function incorrect as well.

Proof of concept

If creditMinterBuffer was 3, _debtCeiling was 5, and _hardCap was 1, then the min of the 3 values should be _hardCap which is 1.

But instead, this condition becomes true creditMinterBuffer < _debtCeiling, which then returns creditMinterBuffer, which is incorrect.

Severity Justification

This is Medium severity, based on the Code4rena Severity Categorization: https://docs.code4rena.com/awarding/judging-criteria/severity-categorization

2 — Med: Assets not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.

Tools Used

Manual review

Update the min() logic to be correct:

-   if (creditMinterBuffer < _debtCeiling) {
-      return creditMinterBuffer;
-   }
-   if (_hardCap < _debtCeiling) {
-      return _hardCap;
-   }
-   return _debtCeiling;
+   if (creditMinterBuffer < _debtCeiling && creditMinterBuffer < _hardCap) {
+       return creditMinterBuffer;
+   } else if (_debtCeiling < _hardCap) {
+       return _debtCeiling;
+   } else {
+       return _hardCap;
+   }

Assessed type

Other

#0 - c4-pre-sort

2024-01-04T12:28:38Z

0xSorryNotSorry marked the issue as sufficient quality report

#1 - c4-pre-sort

2024-01-04T12:28:43Z

0xSorryNotSorry marked the issue as primary issue

#2 - c4-sponsor

2024-01-11T16:22:41Z

eswak (sponsor) confirmed

#3 - eswak

2024-01-11T16:22:55Z

Very clear, thank you 👍

#4 - c4-judge

2024-01-28T19:46:32Z

Trumpero marked the issue as satisfactory

#5 - c4-judge

2024-01-28T20:02:53Z

Trumpero marked the issue as selected for report

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter