DittoETH

Summary

Shorters can avoid paying the ercDebtRate penalty by sandwiching the margin call that would lead to an increment of the ercDebtRate. Exiting their short position right before the margin call and creating a new short position right after the margin call would skip the penalty, and by doing so the penalty of all other shorters would increase accordingly.

Also, there is another problem with the penalty. As the amount of assets to exit a short of all shorters which are currently in the system increases, more shorters need to enter the system so that these shorters are able to exit. The fact that there is an increment of the ercDebtRate could mean that the market condition is not good for shorters at the moment. Therefore, it could happen that a lot of shorters want to exit and not enough new shorters enter the system. This would prevent shorters from exiting the system and therefore their funds would be stuck. As the ercDebtRate is increased on all shortRecords, this penalty could mean that the funds of honest shorters, who always kept their shortRecord over collateralised are stuck inside the protocol, and they are not able to get it back.

Vulnerability Details

During the liquidation process, it is possible that the ercDebtRate increases on the given asset. This is a penalty which all shorters should pay. It is updated on all shortRecords on any interaction with them by calling the updateErcDebt function:

As we can see this function takes the current ercDebtRate of the asset and if there is a difference to the ercDebtRate on the shortRecord it adds the difference to the ercDebtRate of the shortRecord. On creating a new shortRecord the current ercDebtRate of the asset is saved into the shortRecord, therefore there is no difference to the one of the asset. This allows the following sandwich attack:

• Shorter watches the chain and sees a liquidation call that would increase the ercDebtRate

• Shorter front runs the call and exit all open short positions

• The liquidation call that increases the ercDebtRate happens

• Shorter reopens the short positions

The new created shortRecords after the increment of the ercDebtRate get the ercDebtRate which is already increased. Therefore, there is no difference between the ercDebtRate of the asset and the ercDebtRate of the shortRecord and that means no extra amount of assets are needed to exit the system.

Impact

Users can skip paying the ercDebtRate penalty, and by doing so the penalty of all other shorters would increase accordingly.

Tools Used

Manual Review

Recommendations

Rethink the mechanism of the ercDebtRate penalty, or take a fee on exiting short records, so that skipping the penalty will less often lead to profits, as the shorters would need to pay the exit fee twice.