DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

TAPP Mismanagement: Unfair Asset Treatment and Trust Erosion

ElHaj

Summary

The TAPP (Treasury Asset Protection Pool) mechanism, designed to safeguard market stability during price shocks, has been observed to operate counter to its intended purpose. Specifically, during market shutdowns triggered by undercollateralization, the TAPP seizes remaining collateral above 1:1 ratio , leaving users with pegged assets at a loss often cause TAPP claims collateral before users can redeem their assets, resulting in reduced values during high volatility events.Additionally there is no try to refund when Ratio is under 1:1. leaving the users to take the loss.

Vulnerability Details

the protocol claims that the TAPP(Treasury Asset Protection Pool) Used to back under collateralized markets in case of black Swans,and Protecting Ditto users who are holding the pegged assets from loss.

TAPP:

The Treasury Asset Protection Pool (TAPP) is used for bolstering the stability of market pegged assets during periods of large price shock movements....

however that's not true in case of market shutdown,in fact the oposit is true .
in case of a market became under collateralized anyone can call shutdownMarket function from MarketShutdownFacet facet and close this market.

function shutdownMarket(address asset) external onlyValidAsset(asset) isNotFrozen(asset) nonReentrant {

uint256 cRatio = _getAssetCollateralRatio(asset);

if (cRatio > LibAsset.minimumCR(asset)) {

revert Errors.SufficientCollateral();

} else {

STypes.Asset storage Asset = s.asset[asset];

uint256 vault = Asset.vault;

uint88 assetZethCollateral = Asset.zethCollateral;

s.vault[vault].zethCollateral -= assetZethCollateral;

Asset.frozen = F.Permanent;

if (cRatio > 1 ether) {

// More than enough collateral to redeem ERC 1:1, send extras to TAPP

//@audit-issue : the tap should only take the remaining eth , after the users get claimed thier, not before.

uint88 excessZeth = assetZethCollateral - assetZethCollateral.divU88(cRatio);

s.vaultUser[vault][address(this)].ethEscrowed += excessZeth;

// Reduces c-ratio to 1

Asset.zethCollateral -= excessZeth;

}

emit Events.ShutdownMarket(asset);

}

as we can see the The market will close under the minimum ratio .however the minimum ratio it doesn't mean Necessarily 1:1.
we see if the market is above 1 ratio .the TAPP will take the remaine collateral and let's this market with 1:1 ratio.

if (cRatio > 1 ether) {

// More than enough collateral to redeem ERC 1:1, send extras to TAPP

......

}

Then any user who hold the ERC pegged assets can redeem his eth. here :

function redeemErc(address asset, uint88 amtWallet, uint88 amtEscrow)

external

isPermanentlyFrozen(asset)

nonReentrant

{

if (amtWallet > 0) {

asset.burnMsgSenderDebt(amtWallet);

}

if (amtEscrow > 0) {

s.assetUser[asset][msg.sender].ercEscrowed -= amtEscrow;

}

uint88 amtErc = amtWallet + amtEscrow;

uint256 cRatio = _getAssetCollateralRatio(asset);

// Discount redemption when asset is undercollateralized

uint88 amtZeth = amtErc.mulU88(LibOracle.getPrice(asset)).mulU88(cRatio);

s.vaultUser[s.asset[asset].vault][msg.sender].ethEscrowed += amtZeth;

emit Events.RedeemErc(asset, msg.sender, amtWallet, amtEscrow);

}

Notice that the users will get less value. then thier ERC pagged asset value if ration is CR < 1.and in market shutdown events, where the TAPP enforces a 1:1 collateral ratio first, frequently occur during periods of high market volatility. In such situations, users experience amplified losses as the TAPP claims remaining assets about a 1:1 ratio, while the collaterall price continues to crash.
also Notice That In the event of a market becoming undercollateralized, the TAPP does not intervene to refund or stabilize the market. Instead, it allows users to suffer losses without attempting to mitigate or share the burden, contrary to its claimed purpose.
so TAPP behaves inversely: users face losses while the protocol benefits, contrary to what should occur in such situations.
Furthermore, honest shorters with Healthy shortRecords and high C-ratios will face substantial losses. They are unfairly penalized for the unhealthy shortRecords, resulting in the loss of their positions and collateral holdings.

Tools Used

Manual review.

Recommendations

I would recommend :

set a claim period for users holding asset to redeem thier eth :
if CR < 1 . try to refund the market from the TAPP balance if it's posssible.
after the Claim Ends or there is no left Debt(you can track this by decreasing the debt from Asset each time a user redeemed). if there is a remaining collateral add it to the TAPP balance. which would be more Efficient for protocol and users.

Updates

Lead Judging Commences

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.