Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AuctionHouse.getBidDetail() - Malicious actor can intentionally slash any successful term GUILD holders. #599

Closed
c4-bot-2 opened this issue Dec 26, 2023 · 10 comments
Closed

AuctionHouse.getBidDetail() - Malicious actor can intentionally slash any successful term GUILD holders. #599

c4-bot-2 opened this issue Dec 26, 2023 · 10 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-685 edited-by-warden satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@c4-bot-2
Copy link
Contributor

c4-bot-2 commented Dec 26, 2023
edited by c4-bot-6
Loading

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/AuctionHouse.sol#L118

Vulnerability details

Impact

In combination with USDT/USDC blacklist and block stuffing a malicious user can intentionally generate bad debt for successful term and slash all GUILD holders as a result.

Tokens like USDT and USDC have functions that allow them to blacklist an address. The consequence of this action is that a blacklisted user can no longer transfer or receive tokens, which will make the first phase of the auction always revert when trying to send the remaining collateral to the borrower, which will completely block the first phase.

After that when the midPoint passes, the malicious user can delay the second phase making use of block stuffing spaming the network with transactions for one or more blocks, to delay the debt repayment from active participants of the protocol. The result of this action would generate bad debt, which will slash all GUILD holders no matter if this is the best lending term out there and GUILD liquidity is worth a lot. This is huge loss of participants capital, without any real reason.

Proof of Concept

Coded PoC, which should be placed inside test/unit/loan/AuctionHouse.t.sol and executed with forge test --match-test testSlashGUILDTermBlacklistPlusBlockStuffing -vv

https://gist.github.com/NicolaMirchev/3a9d1cb926c6239493980c92136e5da8

Tools Used

Manual review

Recommended Mitigation Steps

  • Remove the transfer to the borrower inside LendingTerm::onBid so this function won’t be dependant on external ERC20 logic(blacklists)
  • You can introduce a state variable mapping(address -> uint256) collateralToBeRepayed or other name and a function ``withdrawRepayedLoanCollatelwhich will send the pending reward to the msg.sender` based on the mapping and decrement it.
  • The change inside onBid function may look like this:
// send collateral to borrower
        if (collateralToBorrower != 0) {
-             IERC20(params.collateralToken).safeTransfer(
-               loans[loanId].borrower,
-               collateralToBorrower
-            );
+              collateralToBeRepayed(loans[loanId].borrower) += collateralToBorrower;
        }





## Assessed type

Token-Transfer
@c4-bot-2 c4-bot-2 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Dec 26, 2023
c4-bot-1 added a commit that referenced this issue Dec 26, 2023
@c4-bot-1
HighDuty issue #599
d8bfa9f
@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Jan 2, 2024
@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as duplicate of #691

@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as duplicate of #1245

@c4-judge
Copy link
Contributor

Trumpero changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Jan 27, 2024
@c4-judge
Copy link
Contributor

Trumpero marked the issue as grade-b

@NicolaMirchev
Copy link

Hey, @Trumpero

About block stuffing:

About Blacklisted ERC20s

  • In current issue we describe that a super successful lending term, which has a lot of participants, who want to pay the debt of the malicious borrow to save their stakes, cannot be liquidated in the first phase, because of the blacklisted borrower transfer.
    Sponsor has written that it is safe, because stakers would exit when they see that bidding doesn't work as expected, but this is not enough to consider it safe, because: duration of auction is limited to 30 minutes, which means that all participants which are not active every 20 minutes will be slashed before they even notice the malicious activity

@Trumpero
Copy link

Trumpero commented Feb 8, 2024

@NicolaMirchev Agree that this issue should be a dup of #685, since it also mentions the block stuffing attack in phase 2 of auction.

@c4-judge
Copy link
Contributor

c4-judge commented Feb 8, 2024

Trumpero removed the grade

@c4-judge c4-judge removed the grade-b label Feb 8, 2024
@thebrittfactor thebrittfactor added duplicate-685 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value satisfactory satisfies C4 submission criteria; eligible for awards and removed duplicate-1245 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Feb 8, 2024
@thebrittfactor
Copy link
Contributor

For transparency, the judge requested duplicate labels, severity and grade to be updated.

@NicolaMirchev
Copy link

NicolaMirchev commented Feb 9, 2024
edited
Loading

Hey, @Trumpero
What about the second point of my argument? Imagine being a whale with millions staked in a stable lending term. You go to sleep, or just no in front of the protocol for only 30 mins. malicious borrower cannot be liquidated, because it is always failing. When it could finally happen, term is slashed...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-685 edited-by-warden satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@NicolaMirchev @c4-judge @c4-pre-sort @Trumpero @thebrittfactor @code4rena-admin @c4-bot-2