Platform: Code4rena
Start Date: 25/10/2022
Pot Size: $50,000 USDC
Total HM: 18
Participants: 127
Period: 5 days
Judge: 0xean
Total Solo HM: 9
Id: 175
League: ETH
Rank: 85/127
Findings: 2
Award: $34.01
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: trustindistrust
Also found by: 0xbepresent, Jujic, Lambda, RaoulSchaffranek, c7e7eff, catchup, codexploder, cryptonue, d3e4, eierina, jwood, pashov, peanuts, pedroais, simon135
33.634 USDC - $33.63
DBR.setReplenishmentPriceBps has no upper bound. A malicious operator can set a basis point above 10000 and markets can force borrowers in deficit to incur a huge debt.
replenishmentPriceBps is used in onForceReplenish, and only the market can call onForceReplenish to increase the debt of the borrower and mint them new DBR
function onForceReplenish(address user, uint amount) public { require(markets[msg.sender], "Only markets can call onForceReplenish"); uint deficit = deficitOf(user); require(deficit > 0, "No deficit"); require(deficit >= amount, "Amount > deficit"); uint replenishmentCost = amount * replenishmentPriceBps / 10000; accrueDueTokens(user); debts[user] += replenishmentCost; _mint(user, amount); }
If replenishmentPriceBps is 10,000, 1 DBR will be minted and 1 DOLA will be added to the borrower's debt. If replenishmentPriceBps is 1,000,000, 1 DBR will be minted and 100 DOLA will be added to the borrower's debt, which makes it unfair for the borrower.
Manual Review
Set a limit for setReplenishmentPriceBps
function setReplenishmentPriceBps(uint newReplenishmentPriceBps_) public onlyOperator { @--audit no upperbound require(newReplenishmentPriceBps_ > 0, "replenishment price must be over 0"); replenishmentPriceBps = newReplenishmentPriceBps_; }
similar to setColateralFactorBps and setLiquidationFactorBps in Market.sol
function setReplenishmentPriceBps(uint newReplenishmentPriceBps_) public onlyOperator { require(newReplenishmentPriceBps_ > 0 && newReplenishmentPriceBps <= 10000, "replenishment price must be over 0"); replenishmentPriceBps = newReplenishmentPriceBps_; }
#0 - c4-judge
2022-11-06T14:59:16Z
0xean marked the issue as duplicate
#1 - Simon-Busch
2022-12-05T15:35:38Z
Issue marked as satisfactory as requested by 0xean
#2 - c4-judge
2022-12-07T08:22:05Z
Simon-Busch marked the issue as duplicate of #301
🌟 Selected for report: rbserver
Also found by: 0x1f8b, 0xNazgul, 0xc0ffEE, 8olidity, Aymen0909, Chom, Franfran, Jeiwan, Jujic, Lambda, M4TZ1P, Olivierdem, Rolezn, Ruhum, TomJ, Wawrdog, __141345__, bin2chen, c7e7eff, carlitox477, catchup, cccz, codexploder, cuteboiz, d3e4, dipp, djxploit, eierina, elprofesor, hansfriese, horsefacts, idkwhatimdoing, imare, immeas, joestakey, ladboy233, leosathya, martin, minhtrng, pashov, peanuts, pedroais, rokinot, rvierdiiev, saneryee, sorrynotsorry, tonisives
0.385 USDC - $0.38
https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L82 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L116
According to Chainlink's documentation, the latestAnswer function is deprecated. This function returns 0 instead of reverting if there is no answer. A best practice is to get the decimals from the oracles instead of hard-coding them in the contract.
https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L82 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L116
Manual Review
Use V3 interface functions: https://docs.chain.link/docs/price-feeds-api-reference/
#0 - neumoxx
2022-10-31T08:50:50Z
Duplicate of #601
#1 - c4-judge
2022-11-05T17:52:51Z
0xean marked the issue as duplicate
#2 - Simon-Busch
2022-12-05T15:25:41Z
Issue marked as satisfactory as requested by 0xean
#3 - c4-judge
2022-12-07T08:14:13Z
Simon-Busch marked the issue as duplicate of #584