Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hardcoded Min_stake of 1e18 doesn’t incentivize staking expensive tokens #1027

Open
c4-bot-7 opened this issue Dec 28, 2023 · 5 comments
Open

Hardcoded Min_stake of 1e18 doesn’t incentivize staking expensive tokens #1027

c4-bot-7 opened this issue Dec 28, 2023 · 5 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-597 grade-a QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sufficient quality report This report is of sufficient quality

Comments

@c4-bot-7
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/SurplusGuildMinter.sol#L26

Vulnerability details

Impact

Each CREDIT Token holder (gUSDC, gWETH, gWBTC, etc.) can stake them and start voting in a gauge. However, there's a minimum staking amount (MIN_STAKE) of 1e18. This means that for certain markets, staking will be more expensive compared to others because of this fixed minimum stake requirement.

Proof of Concept

For instance, in the case of gUSDC, users looking to stake will need to provide approximately 1 USDC (based on creditMultiplier). On the other hand, for gWBTC, they would need to stake around 1 BTC ($42,000 at the time of writing). This could discourage users from staking in such terms.

contract SurplusGuildMinter is CoreRef {
    /// @notice minimum number of CREDIT to stake
    uint256 public constant MIN_STAKE = 1e18;

....

Tools Used

Manual Review

Recommended Mitigation Steps

Include the MIN_STAKE value in the constructor, making it dependent on the Credit Token for that specific term.

Assessed type

Context
@c4-bot-7 c4-bot-7 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Dec 28, 2023
c4-bot-2 added a commit that referenced this issue Dec 28, 2023
@c4-bot-2
SBSecurity issue #1027
5950f02
@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Jan 4, 2024
@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as sufficient quality report

@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as duplicate of #597

@c4-judge c4-judge removed the 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value label Jan 25, 2024
@c4-judge
Copy link
Contributor

Trumpero changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Jan 25, 2024
@c4-judge
Copy link
Contributor

Trumpero marked the issue as grade-b

@Trumpero Trumpero mentioned this issue Jan 31, 2024
Open
@c4-judge c4-judge added grade-a and removed grade-b labels Jan 31, 2024
@c4-judge
Copy link
Contributor

Trumpero marked the issue as grade-a

@C4-Staff C4-Staff reopened this Feb 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-597 grade-a QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@c4-judge @c4-pre-sort @C4-Staff @c4-bot-7