block stuffing attack can make user stake gone

[c4-bot-2]

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/AuctionHouse.sol#L118-L161

Vulnerability details

Impact

gauge whale staking will be gone cause of block stuffing .

Proof of Concept

In auction , there is two phases ,In first one phase , auction house asked full credit for debt and offered collateral based on time passed . In second phase , auction house offer full collateral and reduced credit asked based on time passed .

ATTACK SCENARION

In first phase , auction house will send back some collateral to borrower for sure .If malicious borrower can make transaction revert , there will be no bid happen in first phase .To be reverted , malicious collateral is needed to call back to malicious borrower (malicious collateral must implement call back when transfer ). If malicious borrower can onboard lending term with that malicious collateral which has upgradable proxy , malicious borrower can make transaction revert that call back to him.

      function onBid(
    bytes32 loanId,
    address bidder,
    uint256 collateralToBorrower,
    uint256 collateralToBidder,
    uint256 creditFromBidder
) external {
   ..../
      //*@audit-info ------->>> user contract can make it revert
    if (collateralToBorrower != 0) {
        IERC20(params.collateralToken).safeTransfer(
            loans[loanId].borrower,
            collateralToBorrower
        );
    }
      }

In second phase , malicious user can do block stuffing for a few seconds, there will be loss incurred in notifyPnl , And notifyGaugeloss is also triggered ,This will cause user stake got slashed .

In case , gauge whale see that debt in auction and try to bit it , That's why implemented block stuffing for second phase .

In arbitrum , gas fee is really low and block stuffing is possible .
https://arxiv.org/pdf/2307.14773.pdf

This attack is really great when whales stake a lot of guage in that lending term .

Tools Used

manual view

Recommended Mitigation Steps

partial slashing is best way i guess , not all weight slashing

Assessed type

DoS

[0xSorryNotSorry]

The submission does not provide any demonstration of the issue, reasoning and code blocks.

[c4-pre-sort]

0xSorryNotSorry marked the issue as insufficient quality report

[c4-judge]

Trumpero marked the issue as unsatisfactory:
Insufficient quality

[irving4444]

@Trumpero Could you pls check this report again?I did mention malicious collateral that will call back to attacker during first phase to revert the transaction and for second phase ,block stuffing attack will be happen . This report is also almost same as #685 .

[Trumpero]

@irving4444 Agree that this should be a dup of #685, but should receive only 50% partial credit due to the lack of quality.

[c4-judge]

Trumpero marked the issue as duplicate of #685

[c4-judge]

Trumpero marked the issue as satisfactory

[c4-judge]

Trumpero marked the issue as partial-50

[c4-judge]

Trumpero changed the severity to 2 (Med Risk)