Platform: Code4rena
Start Date: 25/08/2022
Pot Size: $75,000 USDC
Total HM: 35
Participants: 147
Period: 7 days
Judge: 0xean
Total Solo HM: 15
Id: 156
League: ETH
Rank: 41/147
Findings: 2
Award: $401.63
🌟 Selected for report: 0
🚀 Solo Findings: 0
https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/TRSRY.sol/#L80 https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/TRSRY.sol/#L93
New modules could potentially drain the treasury by withdrawing instead of allocating debt.
The loan and withDrawReserves have the same approval amount.
Attacker proposes a new module via governance. This module is an external project, that in the specification can take a 1% loan from the reserves, providing their own OHM as collateral.
Module asks the TreasuryGuardian to approve 1% of debt.
Custodian (maybe some automated module at this point), checks for debt level, which is 0%.
TreasuryGuardian grants approval for these 1% of funds.
https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/TreasuryCustodian.sol/#L47
Instead if calling getLoan, the module calls withdrawReserves, without adding to the debt.
Now the module has withdrawn funds without adding to the debt.
The module can repeat previous steps to withdraw all funds
Note: This is just a possible attack vector that might never happen. But it could nefariously be included via governance in a future module.
It can be observed in code that the debt and withdrawal are accounted in the same mapping.
vscode, juanblanco.solidity, tintinweb.solidity-visual-auditor
Account for withdrawal and debt in separate mappings. This doesn't seem to include any negative side effects, therefore it can make sense to enable it in TRSRY.
#0 - 0xean
2022-09-19T18:39:14Z
dupe of #75
🌟 Selected for report: zzzitron
Also found by: 0x040, 0x1f8b, 0x52, 0x85102, 0xDjango, 0xNazgul, 0xNineDec, 0xSky, 0xSmartContract, 0xkatana, 8olidity, Aymen0909, Bahurum, BipinSah, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chandr, Chom, CodingNameKiki, Deivitto, DimSon, Diraco, ElKu, EthLedger, Funen, GalloDaSballo, Guardian, IllIllI, JansenC, Jeiwan, Lambda, LeoS, Margaret, MasterCookie, PPrieditis, PaludoX0, Picodes, PwnPatrol, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, StevenL, The_GUILD, TomJ, Tomo, Trust, Waze, __141345__, ajtra, ak1, apostle0x01, aviggiano, bin2chen, bobirichman, brgltd, c3phas, cRat1st0s, carlitox477, cccz, ch13fd357r0y3r, cloudjunky, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, devtooligan, dipp, djxploit, durianSausage, eierina, enckrish, erictee, fatherOfBlocks, gogo, grGred, hansfriese, hyh, ignacio, indijanc, itsmeSTYJ, ladboy233, lukris02, martin, medikko, mics, natzuu, ne0n, nxrblsrpr, okkothejawa, oyc_109, p_crypt0, pfapostol, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, sorrynotsorry, tnevler, tonisives, w0Lfrum, yixxas
54.3679 DAI - $54.37
Since the swap function is so profitable, and presumably depletes the capacity of the Range quickly, then is the Bond system actually necessary?
If not, then bond markets add complexity to the system, which might introduce new issues or attack vectors.
According to OlympusDAO’s home page, the OHM token is defined as decentralized and censorship-resistant:
Olympus is building OHM, a community-owned, decentralized and censorship-resistant reserve currency that is asset-backed, deeply liquid and used widely across Web3.
DAI has USDC collateral which can be frozen by the US government. DAI could potentially lose 50% or more of it’s peg. (3.5B$ - 50% of DAI collateral is USDC). RBS uses single asset (DAI) for it’s calculations.
Therefore it is a bit misleading saying OHM is censorship resistant. However, DAI has plans to sell it's USDC reserve for ETH. This would make DAI censorship resistant, but depeg itself from the $ and cause possible side effects for the RBS system.