Attacker can enable redemptions during Off-Boarding allowing users to redeem peg tokens #471
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-1141
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Comments
c4-bot-6
added
3 (High Risk)
c4-pre-sort
added
the
sufficient quality report
|
0xSorryNotSorry marked the issue as sufficient quality report |
|
0xSorryNotSorry marked the issue as duplicate of #1141 |
|
Trumpero changed the severity to 2 (Med Risk) |
c4-judge
added
2 (Med Risk)
|
Trumpero marked the issue as satisfactory |
c4-judge
added
the
satisfactory
|
dup of #1141 due to the same root cause: supportOffboard can still be called after offboarding. |
|
Trumpero marked the issue as not a duplicate |
|
Trumpero marked the issue as duplicate of #1141 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L191-L195
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/SimplePSM.sol#L149-L154
Vulnerability details
According to Docs: -
"Since liquidation occurs by auction, it will still set a market price instead of allowing some users to redeem above peg after a loss has occurred. During a LendingTerm offboarding (while auctions of the collateral of a term are running), redemptions in the PSM are paused."
The LendingTermOffboarding contract allows any GUILD holder to poll for the removal of a lending term, and if enough GUILD holders vote for a removal poll, the term can be offboarded without delay.
After the proposal to off board a lending term reaches the desired quorum, the
offboard()is called to remove that lending term &pauseredemptions in the SimplePSM contract. After all the loans for that lending term have been settled, thecleanup()is called to revoke the minter & pnl notifier role.If all the lending terms have been off boarded from the protocol, the redemption are started/unpaused in the SimplePSM contract.
Otherwise the only other way to enable/disable redemptions is through the Governor role.
However it is easy for an attacker to enable the redeem functionality allowing users to transfer the peg tokens.
Proof of Concept
nOffboardingsInProgresskeeps track of the number of off boardings currently happening.File: LendingTermOffboarding.sol /// @notice number of offboardings in progress. uint256 public nOffboardingsInProgress;After the quorum has been reached,
offboard()is called which removes the lending term & pauses the redemptions.File: LendingTermOffboarding.sol function offboard(address term) external whenNotPaused { ... // pause psm redemptions if ( nOffboardingsInProgress++ == 0 && @note !SimplePSM(psm).redemptionsPaused() ) { SimplePSM(psm).setRedemptionsPaused(true); } ... }If there are no off-boardings left in the protocol, the redemptions are unpaused as can be seen inside the
ifstatement &canOffboardis set to false for that lending term.File: LendingTermOffboarding.sol function cleanup(address term) external whenNotPaused { ... // unpause psm redemptions if ( --nOffboardingsInProgress == 0 && SimplePSM(psm).redemptionsPaused() ) { SimplePSM(psm).setRedemptionsPaused(false); @note - unpaused if no off boardings in progress } canOffboard[term] = false; }If redemptions are paused, then users cannot redeem their peg tokens.
File: SimplePSM.sol /// @notice set `redemptionsPaused` /// governor-only, to allow full governance to update the psm mechanisms, /// or automated processes to pause redemptions under certain conditions. function setRedemptionsPaused( bool paused ) external onlyCoreRole(CoreRoles.GOVERNOR) { redemptionsPaused = paused; emit RedemptionsPaused(block.timestamp, paused); }Attack Scenario:
offboard()has been called for both X & Y pausing redemptions in psm. This setsnOffboardingsInProgress = 2cleanup()is called settingnOffboardingsInProgress = 1. Redemptions are still paused.supportOffboard()with lending term X as parameter which passes because the duration to veto for X hasn't ended yet.canOffboard[term]is again set totruebecause the quorum already been reached previously.cleanup()which passes all the checks &.revokeRole()would just return false in this case.ifcondition is executed because now--nOffboardingsInProgress == 0& which ultimately sets redemptions to false (unpause).Another situation would be if 10 off boarding are in progress & any 1 of them successfully calls
cleanup()within thePOLL_DURATION_BLOCKS(7 day) period, other who haven't voted for that term can callsupportOffboard()followed bycleanup()to unpause redemptions.Impact
According to docs:
"The SimplePSM targets a value equal to ProfitManager.creditMultiplier(), so when bad debt is created and all loans are marked up, they stay the same in terms of peg token, because new CREDIT can be minted with fewer peg tokens from the PSM."Conversely, when new loans are issued, if there are funds available in the SimplePSM, borrowers know the amount of peg tokens they'll be able to redeem their borrowed CREDIT for.
The above attack breaks this core functionality. Users are able to redeem their peg tokens phase thereby decreasing the supply.
Tools Used
Manual Review
Recommended Mitigation Steps
Add a check in
supportOffboard()to ensure the lending term being voted on exists in the gauge. This way if the attacker called to veto the already removed term, the function would revert.Assessed type
Error
The text was updated successfully, but these errors were encountered: