Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adjusting a CDP allows a user to reduce their collateral under the threshold enforced by the protocol #122

Open
c4-bot-10 opened this issue Jul 7, 2024 · 0 comments
Open

Adjusting a CDP allows a user to reduce their collateral under the threshold enforced by the protocol #122

c4-bot-10 opened this issue Jul 7, 2024 · 0 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working 🤖_primary AI based primary recommendation 🤖_13_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@c4-bot-10
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-06-badger/blob/main/ebtc-zap-router/src/EbtcLeverageZapRouter.sol#L403-L467

Vulnerability details

Impact

Users have the ability to reduce the risk of their position and bypass the protocol design restrictions, effectively reducing the rewards intended for liquidators and getting rid of the 0.2 stETH gas stipend in the position.

Proof of concept

The protocol enforces users to deposit at least 2 stETH, as stated in the documentation : "CDPs must have a size of at least 2 stETH of collateral"

A "gas stipend" of 0.2 stETH is required to be transferred "in addition to the collateral" as an incentive for the liquidators "to cover the transaction's gas cost".

This essentially means a user must deposit 2.2 stETH when a CDP is opened. This is enforced in _openCdp() through the _requireAtLeastMinNetStEthBalance() function.

https://github.com/code-423n4/2024-06-badger/blob/main/ebtc-zap-router/src/EbtcLeverageZapRouter.sol#L217

// @audit LIQUIDATOR_REWARD == 2e17
_requireAtLeastMinNetStEthBalance(_stEthDepositAmount - LIQUIDATOR_REWARD);

...

function _requireAtLeastMinNetStEthBalance(uint256 _stEthBalance) internal pure {
    // @audit `MIN_NET_STETH_BALANCE` == 2e18
    require(
        _stEthBalance >= MIN_NET_STETH_BALANCE,
        "ZapRouterBase: Cdp's net stEth balance must not fall below minimum"
    );
}

However, a user has the ability to adjust his CDP to reduce his collateral under this 2.2 stETH because it does not implement sufficient checks.

Here is a modified version of the test_adjustCdp_debtDecrease_stEth test that demonstrates the collateral being under 2.2 stETH after adjustment

function test_adjustCdp_under_threshold() public {
    seedActivePool();

    (address user, bytes32 cdpId) = createLeveragedPosition(MarginType.stETH);

    IEbtcZapRouter.PositionManagerPermit memory pmPermit = createPermit(user);
    uint256 debtChange = 0.99e18;
    uint256 marginBalance = 2.87e18;
    uint256 collValue = _debtToCollateral(debtChange) * 10004 / 10000;
    _before();
    vm.startPrank(user);
    leverageZapRouter.adjustCdp(
        cdpId, 
        _getAdjustCdpParams(debtChange, -int256(debtChange), -int256(collValue), -int256(marginBalance), false), 
        abi.encode(pmPermit),
        _getExactInCollateralToDebtTradeData(collValue)
    );
    vm.stopPrank();
    _after();

    // Test zap fee (no fee if debt decrease)
    assertEq(eBTCToken.balanceOf(testFeeReceiver), 1e18 * defaultZapFee / 10000); 

    _checkZapStatusAfterOperation(user);

    pmPermit = createPermit(user);

    vm.startPrank(user);
    (uint256 debt, uint256 collShares) = cdpManager.getSyncedDebtAndCollShares(cdpId);
    
    assertLt(
        collShares,
        2.004e18
    );

    vm.stopPrank();
}

Tools used

Fuzzing, manual analysis

Recommended mitigation steps

Add additional checks in the adjust operation to enforce the 2.2 stETH collateral in the CDP.

Assessed type

Context
@c4-bot-10 c4-bot-10 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jul 7, 2024
c4-bot-8 added a commit that referenced this issue Jul 7, 2024
@c4-bot-8
Greed issue #122
b1dc9ba
@c4-bot-12 c4-bot-12 added 🤖_13_group AI based duplicate group recommendation 🤖_primary AI based primary recommendation labels Jul 8, 2024
howlbot-integration bot added a commit that referenced this issue Jul 10, 2024
@howlbot-integration
Greed update issue #122
5ced22c
@howlbot-integration howlbot-integration bot added the sufficient quality report This report is of sufficient quality label Jul 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working 🤖_primary AI based primary recommendation 🤖_13_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@c4-bot-10 @c4-bot-12