DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Combining short positions resets flag

0xf

Summary

When two short positions are combined we resets the updatedAt flag.
This occurs automatically when a user hits the limit of 254 open positions and without any checks performed.

Vulnerability Details

An attacker could exploit this by creating 253 filler positions and heavily leveraging the 254th. When a liquidator tries to flag the position, the attacker can simply create another short position. This resets the liquidation countdown.

Impact

Primary liquidation fail, since the liquidation window can not be reached.
The leveraged position has a higher risk of accruing bad debt and generating costs for all other users.

Tools Used

VS Code

Recommendations

Here are two options to fix the vulnerability

  1. Introduce checks when combining two positions.

  2. Eliminate the automatic combination of shorts.

From a software architecture standpoint, the second option is more straightforward.

Here’s the suggested code adjustment:

function createShortRecord(
...
} else {
- // All shortRecordIds used, combine into max shortRecordId
- id = Constants.SHORT_MAX_ID;
- fillShortRecord(
- asset,
- shorter,
- id,
- status,
- collateral,
- ercAmount,
- ercDebtRate,
- zethYieldRate
- );
+ revert ToManyPositions();
}
}

Note that a sophisticated user can still combine multiple records by calling combineShorts.

Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-270

alra Auditor
almost 2 years ago
0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-270

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.