DittoETH

Summary

Short positions in the DittoEth protocol are represented as NFTs. These NFTs can be transferred between users, which inherently means the associated short position's responsibilities and obligations are also transferred. A vulnerability arises when a user deliberately transfers a short position NFT to an unsuspecting or ill-prepared recipient. This can be especially problematic if the short position is nearing under-collateralization.

The original owner of the short position can subsequently flag the transferred position for liquidation, given the right market conditions, and potentially liquidate it. This means the unsuspecting recipient would bear the financial consequences, while the original owner could benefit from liquidation bonuses and yield.

In the worst-case scenario, if the recipient does not have sufficient funds to cover the liquidation, the Treasury Asset Protection Pool (TAPP) would be used to cover the deficit. Repeated exploitation of this vulnerability could lead to a significant depletion of the TAPP reserves, thereby undermining the stability and security of the entire protocol. This scenario not only harms individual users but poses a systemic risk to the protocol's integrity and trustworthiness.

Vulnerability Details

NFT Transfers and Associated Short Positions:

In the DittoEth protocol, each short position is represented as an NFT.
Transferring the NFT to another user also transfers the associated obligations of the short position.
The recipient becomes responsible for maintaining the collateral requirements of the transferred short position.

Potential Exploitation:

A malicious user can monitor their short position and, when it nears under-collateralization, transfer the NFT to an unsuspecting recipient.
The unsuspecting recipient, unaware or unprepared for the sudden transfer, may not have the funds or the intent to maintain the collateral requirements.
The original owner can then flag the transferred position for liquidation and, under the right market conditions, initiate the liquidation.
This allows the original owner to benefit from liquidation bonuses and yield.

Treasury Asset Protection Pool (TAPP):

If the recipient lacks the funds to cover the liquidation, the TAPP will be used to cover the deficit.
Repeated exploitation can lead to significant depletion of TAPP reserves, posing a risk to the entire protocol.

Impact

Unsuspecting Victims:

Users might involuntarily receive risky positions, leading to potential financial losses.

TAPP Depletion:

Repeated exploitation can significantly deplete the TAPP, affecting the protocol's overall health and reducing its ability to handle genuine liquidation scenarios.

Tools Used

Manual review

Recommendations

Restrict NFT Transfers: Implement checks to restrict the transfer of NFTs associated with nearly-under-collateralized positions.

Two-Step Transfer Confirmation: Introduce a two-step confirmation process for NFT transfers, where the recipient has to actively accept the incoming NFT.