DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Dependency on Oracle Price Hinders Partial Withdrawal of Legitimate Value

0xaman

Summary

The ExitShort contract provides a mechanism for users to partially withdraw their shorts. However, it has been observed that under specific circumstances, such as a significant increase in the price of ETH, the contract inhibits users from executing partial withdrawals of legitimate amounts. This is due to the contract's classification of these amounts as 'dust' in response to the price surge. The subsequent Proof of Concept (POC) elaborates on this case:

Vulnerability Details

function exitShortWithERCRevert() public {

_setETH(2800 ether);

exitShortErcEscrowed(

Constants.SHORT_STARTING_ID, uint88(getUserStruct(sender).ercEscrowed - 4 ether) , sender

);

_setETH(3000 ether);

vm.expectRevert(Errors.CannotLeaveDustAmount.selector);

// here it stop the user ti exit short for 1 ether and left amt is 3 ethers. but due it surge in price the user will not be able to exit 1 ETH.

exitShortErcEscrowed(

Constants.SHORT_STARTING_ID, 1 ether , sender

);

_setETH(2800 ether);

// here as the price remains the same , the user can successfuly exit short

exitShortErcEscrowed(

Constants.SHORT_STARTING_ID, 1 ether , sender

);

}

function test_revertExitShortSecondaryErcEscrowedPartial() public {

prepareExitShortT({exitType: ERC_ESCROWED});

exitShortWithERCRevert();

}

Impact

This will restrict a significant number of users from utilizing the partial exit short feature if the price escalates.

Tools Used

Manual Review , Foundry

Recommendations

Please Remove the LibOracle.getPrice(asset) from the line https://github.com/Cyfrin/2023-09-ditto/blob/main/contracts/facets/ExitShortFacet.sol#L110 and https://github.com/Cyfrin/2023-09-ditto/blob/main/contracts/facets/ExitShortFacet.sol#L110. as we are already checking for minBid value here.

git diff:

- uint256 leftoverAmt = (ercDebt - buyBackAmount).mul(LibOracle.getPrice(asset));</color>

+ uint256 leftoverAmt = (ercDebt - buyBackAmount);

Updates

Lead Judging Commences

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.