Skip to content
This repository has been archived by the owner on Sep 17, 2023. It is now read-only.

cducrest-brainbot - Keepers can clean off debts #48

Closed
sherlock-admin opened this issue Mar 13, 2023 · 0 comments
Closed

cducrest-brainbot - Keepers can clean off debts #48

sherlock-admin opened this issue Mar 13, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Mar 13, 2023
edited by github-actions bot
Loading

cducrest-brainbot

high

Keepers can clean off debts

Summary

The documentation for the protocol states that keepers are "trusted with vault yield but not user collateral. They generally perform upkeep on the vault such as swapping yield for Tau and running the LiquidationBot." However, they can abuse the SwapHandler.swapForTau() function to clean off the debt of every user of the protocol. With that, they can mint any amount of TAU they like and break the protocol.

Vulnerability Detail

swapForTau can only be called by the keepers. It uses an input argument _rewardProportion to determine the portion of swapped TAU used to repay the users debt via TauDripFeed._withholdTau(). A value of _rewardProportion = 1e18 means all the TAU swapped will be used to repay user debts.

However, there is no limit to the value provided by the keeper. Additionally, the accounting for reward is decorrelated to the actual balance of TAU received by the SwapHandler. As a result, the keeper can submit _rewardProportion = 1e70 (or any arbitrary value) to use 1e52 * amount of TAU received to repay debts, which should completely clean of all the debts in the vault.

Impact

Keeper has the power to break the protocol (clean off all the debt). They can open a position to withdraw as many TAU as they can, clean off their debts, and start again to mint as many TAU as they want.

Keeper has more power than the documentation claim they have.

Code Snippet

_rewardProportion provided by keeper in swapForTau():
https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Vault/SwapHandler.sol#L45-L52

_withholdTau called with tauReturned * _rewardProportion:
https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Vault/SwapHandler.sol#L91

_withholdTau increases tauWithheld, which is later used to repay user debts:
https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Vault/TauDripFeed.sol#L106-L110

Tool used

Manual Review

Recommendation

Limit the provided value of _rewardProportion by 1e18.

Duplicate of #11
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Mar 21, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Apr 1, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin