Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Liquidators can extract extra value with flash loans, significantly reducing profits for other users #144

Closed
c4-bot-3 opened this issue Dec 18, 2023 · 3 comments
Closed

Liquidators can extract extra value with flash loans, significantly reducing profits for other users #144

c4-bot-3 opened this issue Dec 18, 2023 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-994 edited-by-warden satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@c4-bot-3
Copy link
Contributor

c4-bot-3 commented Dec 18, 2023
edited by c4-bot-5
Loading

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/ProfitManager.sol#L342-L405

Vulnerability details

Impact

Liquidators will be able to flash loan mint and stake before liquidating the borrower, extracting maximal potential value. While advantageous for liquidators, this significantly reduces gauge stakers' profits without changing the associated risks.

Proof of Concept

To extract the maximal possible value, bidders (liquidators) will mint with PSM and stake in the gauge they are liquidating. This is because, upon liquidation, onBid calls ProfitManager's notifyPnL, distributing part of the interest to gauge voters. This process is achievable in a single transaction, incentivizing liquidators to do it for every profitable (positive PnL) liquidation.

Example:

Prerequisites Values
Borrower coll 10,000 USDC
Borrower loan 7,000 USDC
Borrower fees (start + interest) 1,000 USDC
Gauge weight 10,000
PM split - buffer/credit/gauge 20% / 40% / 40%
  1. Borrower misses a payment.
  2. Call triggers the auction, reaching a profitable point of 8,000 USDC credit for 8,100 USDC collateral.
  3. Alice executes a Flash loan transaction:
    • Flash loan 90,000 USDC
    • Mint 90,000 gUSDC
    • Stake 90,000 gUSDC into the gauge
    • Bid on Bob's loan.
    • Call SGM getRewards
    • Unstake 90,000 gUSDC
    • Redeem 90,360 gUSDC
    • Pay the loan

After Alice bids on Bob's loan, calculations are performed, and ProfitManager's notifyPnL is called with 1,000 USDC to split. PM allocates 400 USDC to the gauge. However, Alice holds 90k out of 100k weight (90%), entitling her to 90% of the gauge's profit (360 USDC).

Alice profits 360 USDC from the FL (460 USDC in total) + the gauge tokens that SGM mints as rewardsRatio (360 with rewardRatio of 1), while the remaining gauge stakers split the remaining 40 USDC. This scenario disincentivizes staking for a given gauge, as liquidation becomes a safer and more profitable alternative.

POC

Gist - https://gist.github.com/0x3b33/cf4349253c7762ab4c3d099ecadbea95
Add to - 2023-12-ethereumcreditguild/test/unit/loan/.sol
Run it with - forge test --match-test test_flashLoanExtraProfit

Tools Used

Manual review

Recommended Mitigation Steps

Implementing a dripping mechanism similar to that used with credit tokens (here) may be the most effective solution, albeit making gauges more complex. Alternatively, pausing mint could be considered, but this might only make it more challenging as liquidators can still use flash loans to acquire credits through other means.

Assessed type

Error
@c4-bot-3 c4-bot-3 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Dec 18, 2023
c4-bot-5 added a commit that referenced this issue Dec 18, 2023
@c4-bot-5
0x3b issue #144
65e4631
c4-bot-3 added a commit that referenced this issue Dec 18, 2023
@c4-bot-3
Issue #144 attribution changed from 0x3b to Byteblockers by 0x3b
67418ac
@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Jan 5, 2024
@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as sufficient quality report

@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as duplicate of #994

@c4-judge
Copy link
Contributor

Trumpero marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jan 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-994 edited-by-warden satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@c4-judge @c4-pre-sort @code4rena-admin @c4-bot-3