Back to thank_you's contests

Ethereum Credit Guild - thank_you's results

A trust minimized pooled lending protocol.

General Information

Platform: Code4rena

Start Date: 11/12/2023

Pot Size: $90,500 USDC

Total HM: 29

Participants: 127

Period: 17 days

Judge: TrungOre

Total Solo HM: 4

Id: 310

League: ETH

Ethereum Credit Guild

Findings Distribution

Researcher Performance

Rank: 100/127

Findings: 1

Award: $30.41

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryEthereum Credit Guild

Findings Information

🌟 Selected for report: neocrao

Also found by: 0xStalin, Aymen0909, Byteblockers, Chinmay, The-Seraphs, TheSchnilch, Timenov, Varun_05, ether_sky, kaden, mojito_auditor, mussucal, nonseodion, rbserver, santipu_, thank_you, twcctop

Awards

30.4141 USDC - $30.41

Labels

2 (Med Risk)
satisfactory
duplicate-708

External Links

Link to GitHub issue

Judge has assessed an item in Issue #765 as 2 risk. The relevant finding follows:

L-03

The LendingTerm.debtCeiling() function returns the debt ceiling for the given term. Unfortunately, the code is designed such that there is an off-chance that if _hardCap < creditMinterBuffer < (_issuance + maxBorrow), then the creditMintBuffer will be returned. In this case, _hardCap should be returned.

This can cause GuildToken._decrementGaugeWeight to decrement when it should if the above edge case occurs and the issuance is greater than the _hardCap.

The LendingTerm.debtCeiling() runs a series of calculations to determine the Term's debt ceiling. The debt ceiling should always lean towards returning the smallest acceptable value to ensure protocol safety and prevent runaway borrowing. You can see this safety check occur throughout the function where in most scenarios the debtCeiling() returns the following logical statement:

_hardCap < creditMinterBuffer ? _hardCap : creditMinterBuffer;

Unfortunately, at the end of the function the final set of code logic runs:

// return min(creditMinterBuffer, hardCap, debtCeiling)
if (creditMinterBuffer < _debtCeiling) {
    return creditMinterBuffer;
}
if (_hardCap < _debtCeiling) {
    return _hardCap;
}
return _debtCeiling;

This logic dictates that as long as creditMinterBuffer is lower than _debtCeiling, then creditMinterBuffer will be returned in the function. However, it does not consider if _hardCap is lower than the creditMinterBuffer. This can lead to a scenario where the debtCeiling() returns a value larger than expected.

We can see this in action in the following sample code below:

function debtCeiling() public returns (uint) {
    uint creditMinterBuffer = 100;
    uint _debtCeiling = 101;
    uint _hardCap = 99;
    
    uint returnValue;
    
    
    if (creditMinterBuffer < _debtCeiling) {
        return creditMinterBuffer;
    }
    if (_hardCap < _debtCeiling) {
        return _hardCap;
    }
}

uint ceiling = debtCeiling(); // will return 100

The protocol should re-work the function to do the following:

uint ceiling = _hardCap;

if (creditMinterBuffer < ceiling) {
    ceiling = creditMinterBuffer;
}
if (_debtCeiling < ceiling) {
    ceiling = _debtCeiling;
}

return ceiling;

#0 - c4-judge

2024-01-30T23:29:22Z

Trumpero marked the issue as duplicate of #708

#1 - c4-judge

2024-01-30T23:29:25Z

Trumpero marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter