Foundry DeFi Stablecoin CodeHawks Audit Contest

Cyfrin

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

High - The liquidate() function underflows due to LIQUIDATION_BONUS

TeamFliBit

Summary

It is a known issue that the protocol will break if it is insolvent. However, above 100% collateral rate (solvent) it is supposed to work, which is not the case.

The 10% liquidation_bonus breaks the liquidate() function when the collateral rate is above 100% but below 110%

Vulnerability Details

Observe the example in the comments of the liquidate function()

// We want to burn their DSC "debt"

// And take their collateral

// Bad User: $140 ETH, $100 DSC

// debtToCover = $100

// $100 of DSC == ??? ETH?

// 0.05 ETH

uint256 tokenAmountFromDebtCovered = getTokenAmountFromUsd(collateral, debtToCover);

// And give them a 10% bonus

// So we are giving the liquidator $110 of WETH for 100 DSC

// We should implement a feature to liquidate in the event the protocol is insolvent

// And sweep extra amounts into a treasury

This works fine as long as the bad debt is above $110, but what happens when it is below?

Example:

bad debt = $105 ETH, 100 DSC
liquidator pays 100 DSC and receives $100*1.10 = 110 dollar in ETH

The liquidate() function will call _redeemCollateral() which will then try to deduct 110 dollar in ETH from a balance of 105 dollar in ETH and cause an underflow which will then revert the function.

s_collateralDeposited[from][tokenCollateralAddress] -= amountCollateral;

POC in Github Gist

Impact

Collateral positions that should be callable by liquidate() are not working and this breaks a critical function of the system.

Tools Used

Manual review, Foundry

Recommendations

Implement a check in the liquidate() function that makes sure the amount to be received by the liquidator can never be greater than the amount held by the initial collateral holder.

uint256 remainingValueCollateral = getUsdValue(collateral,s_collateralDeposited[from][tokenCollateralAddress];

if( remainingValueCollateral<=totalCollateralToRedeem ){ totalCollateralToRedeem = remainingValueCollateral;};

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

236

64 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.