DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Partial filled short does not reset liquidation flag after user gets fully liquidated, meaning healthy position will still be flagged if the rest of the order gets filled.

0xCiphky

Summary

The protocol allows a short order to be partially matched, generating a short record for the matched amount. The unmatched portion of the order can be subsequently filled and added to the short record.
A short record is flagged if it falls below the primary liquidation ratio set by the protocol, signalling to the user that their position is nearing an unhealthy state. The user can resolve this by modifying the position to improve its health or by paying off the short and exiting the position.
If a user is unable to get their their position to a healthy state by a certain time they can be liquidated.
A vulnerability exists where, under specific circumstances, a user’s healthy position is flagged and can be instantly liquidated without warning.

Vulnerability Details

Consider the following scenario
1. User A creates a short order, 50% of which is filled with a bid.
2. User A’s position falls below the primary liquidation ratio and is flagged by User B.
3. User A’s position is fully liquidated by User B, with the flag remaining active post liquidation.
4. The remaining order gets filled at a healthy ratio but remains flagged.

Click to expand Proof of Concept

function testPShortFLiquidatePShort() public {

skipTimeAndSetEth(2 hours, 4000 ether);

// Create short

fundLimitShortOpt(DEFAULT_PRICE, DEFAULT_AMOUNT * 2, sender);

// create bid half of short

fundLimitBidOpt(DEFAULT_PRICE, DEFAULT_AMOUNT, receiver);

//get short

STypes.ShortRecord memory shortBeforeFlag =

getShortRecord(sender, Constants.SHORT_STARTING_ID);

//check short flag

assertEq(shortBeforeFlag.flaggerId, 0);

// fall in price

skipTimeAndSetEth(2 hours, 2000 ether);

// flag short

vm.prank(extra);

diamond.flagShort(asset, sender, Constants.SHORT_STARTING_ID, Constants.HEAD);

// skip user grace period

skipTimeAndSetEth(12 hours, 2000 ether);

//get short

STypes.ShortRecord memory shortAfterFlag =

getShortRecord(sender, Constants.SHORT_STARTING_ID);

//check short flag

assertGt(shortAfterFlag.flaggerId, 0);

// liquidate short

vm.prank(extra);

diamond.liquidate(

asset, sender, Constants.SHORT_STARTING_ID, shortHintArrayStorage

);

//get short

STypes.ShortRecord memory shortAfterExit =

getShortRecord(sender, Constants.SHORT_STARTING_ID);

//check short flag

assertGt(shortAfterExit.flaggerId, 0);

//price recover back to initial

skipTimeAndSetEth(2 hours, 4000 ether);

// rest of the short order gets filled

fundLimitBidOpt(DEFAULT_PRICE, DEFAULT_AMOUNT, receiver);

//get short

STypes.ShortRecord memory shortAfterMatch =

getShortRecord(sender, Constants.SHORT_STARTING_ID);

//check short flag

assertGt(shortAfterMatch.flaggerId, 0);

}

Impact

A healthy short is incorrectly flagged.
If the new short falls below the primary liquidation ratio:
- It cannot be flagged by another user until updatedAt (when short was filled) plus the reset time is reached.
- It can be liquidated after updatedAt (when short was filled) plus the firstLiquidationTime till resetLiquidationTime even if it was never flagged.
- Keep in mind the shorts updatedAt will be updated when the short gets filled so this will push the liquidation times up by the time diff (fillShort - flagged).
A user is also unable to use certain protocol functionality (e.g. transfer the short).

Tools Used

Manual Analysis
Foundry

Recommendations

The liquidation process must reset the flag in full liquidations to ensure that users don’t start off with healthy positions flagged when the unmatched portion gets filled.

if (m.short.ercDebt == m.ercDebtMatched) {

// Full liquidation

LibShortRecord.disburseCollateral(

m.asset,

m.shorter,

m.short.collateral,

m.short.zethYieldRate,

m.short.updatedAt

);

LibShortRecord.deleteShortRecord(m.asset, m.shorter, m.short.id);

if (!m.loseCollateral) {

m.short.collateral -= decreaseCol;

s.vaultUser[m.vault][m.shorter].ethEscrowed += m.short.collateral;

s.vaultUser[m.vault][address(this)].ethEscrowed -= m.short.collateral;

// reset flag here

short.resetFlag()

}

Updates

Lead Judging Commences

0xnevi Lead Judge

about 2 years ago

0xnevi Lead Judge

about 2 years ago

0xnevi Lead Judge about 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-176

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.