DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Wrong asset is flagged

0xf

Summary

The flagShort function is improperly assigning flags to the cUSD market, irrespective of the actual market of the short position. This issue is non-critical with a single market but turns exploitable with the addition of more markets.

Vulnerability Details

In the final step of the flagShort function we store the flaggerId of the liquidator in the ShortRecord structure of
the shorter. However, we do not use the short position in question, but always link the flag to the short position on the cusd market. This isn’t problematic with one market but opens up avenues for exploitation when additional assets are introduced:

A scenario to consider:

  1. A user establishes a significant short position in the AUD market.

  2. The user’s collateral ratio declines.

  3. The liquidator attempts to flag the position, but flags the cusd market

  4. The position remains unflagged, and (early) liquidations are bypassed.

Impact

The bug leads to the generation of bad debt, threatening the protocol's financial health.

Tools Used

Manual Analysis

Recommendations

A direct fix is to modify the flagShort function to associate the flag with the correct asset. Here’s the corrected code:

function flagShort(address asset, address shorter, uint8 id, uint16 flaggerHint)
...
- short.setFlagger(cusd, flaggerHint);
+ short.setFlagger(asset, flaggerHint);
emit Events.FlagShort(asset, shorter, id, msg.sender, adjustedTimestamp);
}
Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.