DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

The `LibAsset::minShortErc` and `LibAsset::minAskEth` can be bypassed causing that the created `short orders` with the minimum values would not incentivize the liquidators

0xbepresent

Summary

The short can be created with values less than the minAskEth and minShortErc causing that the created order with minimum values would not be attractive to be liquidated if it is the case.

Vulnerability Details

The short order creation is possible using the ShortOrdersFacet::createLimitShort() function. It checks for minAskEth and minShortErc minimum values before everything else. The problem is that the number of bids orders can not be enough to complete the short order causing the creation of the short order with minimum values. Please consider the next scenario:

Current system status:

minBidEth: 1

minAskEth: 2

minShortErc: 2

Current orderbook status:

Bid orders - ercAmount: 1, price: 1

Short orders: 0

The new short order is executed with ercAmount: 2, price: 1, initialMargin: 500, the next validation does not rever the transaction (2 < 2 || 2 < 2 is False):

File: ShortOrdersFacet.sol

53: if (ercAmount < p.minShortErc || p.eth < p.minAskEth) {

54: revert Errors.OrderUnderMinimumSize();

55: }

The new short order is matched with the unique bid order avaliable. The fillErc = 1 and fillEth = 1. The matchTotal.colUsed is 1 (incomingSellPrice) * 1 (fillErc) * 500 (initialMargin) = 500
Since there is only one bid order, the matching process ends and the next validation in the code line 666 is not True so the leftover incomingSell.ercAmount (1 amount) is not assigned to the orderbook (1 [left ercAmount] * 1 [incomingSellPrice] >= 2 is False).

File: LibOrders.sol

666: if (incomingAsk.ercAmount.mul(incomingAsk.price) >= minAskEth) {

667: addSellOrder(incomingAsk, asset, orderHintArray);

668: }

The user short record creation ends with the next fills:

matchTotal.fillErc = 1

matchTotal.fillEth = 1

matchTotal.colUsed = 500

That is less than the required by minAskEth and minShortErc.

Impact

Shorts can be created with the less than the minimum value required by minAskEth and minShortErc causing that the short order would not be attractive to be liquidated by the liquidatiors since the collateral attached is not enough to cover the liquidation transaction.

Tools used

Manual review

Recommendations

Verify the minimum required values minAskEth and minShortErc in the short record creation LibShortRecord::createShortRecord() function.

Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-145

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.