DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

ShortRecord's collateralRatio can exceed maximum

T1MOH

Summary

Protocol has restriction on max value of collateralRatio. Now it is set to 1500%.
However users can repay ercDebt, raising collateralRatio to arbitrary value. It can be done via Secondary Exit Short

Vulnerability Details

There is no check on max collateralRatio in functions exitShortWallet() and exitShortErcEscrowed(). In these functions user provides erc tokens, and ercDebt of shortRecord decreases. CollateralRatio is calculated as collateral / debt - use can repay for example 99% of debt, hence collRatio will become 100 times higher.

However this check presents in shortOrder creation and updating collateral:

https://github.com/Cyfrin/2023-09-ditto/blob/a93b4276420a092913f43169a353a6198d3c21b9/contracts/facets/ShortOrdersFacet.sol#L45-L48

https://github.com/Cyfrin/2023-09-ditto/blob/a93b4276420a092913f43169a353a6198d3c21b9/contracts/facets/ShortRecordFacet.sol#L56

Impact

Orders with collateralRatio above limit can exist in protocol

Tools Used

Manual Review

Recommendations

Add check of collateralRatio:

function exitShortErcEscrowed(address asset, uint8 id, uint88 buyBackAmount)
external
isNotFrozen(asset)
nonReentrant
onlyValidShortRecord(asset, msg.sender, id)
{
...
if (ercDebt == buyBackAmount) {
...
} else {
short.ercDebt -= buyBackAmount;
short.maybeResetFlag(asset);
+ if (LibShortRecord.getCollateralRatio(short, asset) >= Constants.CRATIO_MAX) {
+ revert Errors.InvalidInitialCR();
+ }
}
...
}
function exitShortWallet(address asset, uint8 id, uint88 buyBackAmount)
external
isNotFrozen(asset)
nonReentrant
onlyValidShortRecord(asset, msg.sender, id)
{
...
if (buyBackAmount == ercDebt) {
...
} else {
short.ercDebt -= buyBackAmount;
short.maybeResetFlag(asset);
+ if (LibShortRecord.getCollateralRatio(short, asset) >= Constants.CRATIO_MAX) {
+ revert Errors.InvalidInitialCR();
+ }
}
...
}
Updates

Lead Judging Commences

0xnevi Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-411

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.