Adjusting a CDP allows a user to reduce their collateral under the threshold enforced by the protocol #122
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
🤖_primary
AI based primary recommendation
🤖_13_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-06-badger/blob/main/ebtc-zap-router/src/EbtcLeverageZapRouter.sol#L403-L467
Vulnerability details
Impact
Users have the ability to reduce the risk of their position and bypass the protocol design restrictions, effectively reducing the rewards intended for liquidators and getting rid of the 0.2 stETH gas stipend in the position.
Proof of concept
The protocol enforces users to deposit at least 2 stETH, as stated in the documentation : "CDPs must have a size of at least 2 stETH of collateral"
A "gas stipend" of 0.2 stETH is required to be transferred "in addition to the collateral" as an incentive for the liquidators "to cover the transaction's gas cost".
This essentially means a user must deposit 2.2 stETH when a CDP is opened. This is enforced in
_openCdp()
through the_requireAtLeastMinNetStEthBalance()
function.https://github.com/code-423n4/2024-06-badger/blob/main/ebtc-zap-router/src/EbtcLeverageZapRouter.sol#L217
However, a user has the ability to adjust his CDP to reduce his collateral under this 2.2 stETH because it does not implement sufficient checks.
Here is a modified version of the
test_adjustCdp_debtDecrease_stEth
test that demonstrates the collateral being under 2.2 stETH after adjustmentTools used
Fuzzing, manual analysis
Recommended mitigation steps
Add additional checks in the adjust operation to enforce the 2.2 stETH collateral in the CDP.
Assessed type
Context
The text was updated successfully, but these errors were encountered: