DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Combining shorts can cause problems

nyx

Summary

Combining shorts can cause problems

Vulnerability Details

The system does not permit minting the last shortRecord of a shorter (id = 254) since the last shortRecord of a shorter is reserved for special behavior. To counteract this behavior the shortRecord in position 254 is modified/blended anytime a new shortRecord would have been created with a shortRecordIdCounter greater than 254.

else {

// All shortRecordIds used, combine into max shortRecordId

id = Constants.SHORT_MAX_ID;

fillShortRecord(

asset,

shorter,

id,

status,

collateral,

ercAmount,

ercDebtRate,

zethYieldRate

);

}

And the fillShortRecord function merges two shorts.

The problem is that the last short id may have been flagged.

id = Constants.SHORT_MAX_ID;

When two shorts merge, the merge function uses the SHORT_MAX_ID and. So, the newly created short remained flagged.

Suppose the newly created short will be under minimum CR. In that case, it may get instantly liquidated, which is bad for the user because shorts are considered separated when it comes to liquidation.

function merge(

STypes.ShortRecord storage short,

uint88 ercDebt,

uint256 ercDebtSocialized,

uint88 collateral,

uint256 yield,

uint24 creationTime

) internal {

// Resolve ercDebt

ercDebtSocialized += short.ercDebt.mul(short.ercDebtRate);

short.ercDebt += ercDebt;

short.ercDebtRate = ercDebtSocialized.divU64(short.ercDebt);

// Resolve zethCollateral

yield += short.collateral.mul(short.zethYieldRate);

short.collateral += collateral;

short.zethYieldRate = yield.divU80(short.collateral);

// Assign updatedAt

short.updatedAt = creationTime;

}

Another problem is that when the two shorts merge, the merge function updates the short.updatedAt to the current time. A malicious user can open a new short to update the updateAt parameter so that his flagged short can't be liquidated.

For example :

Alice flags Bob's short.(id=254)(id=254)
Alice needs to wait for the first liquidation time to be able to liquidate Bob's short.
Bob sees this and creates a new short. Shorts merge and newly created short has an updated short.updatedAt.
Alice tries to liquidate Bob, but the transaction reverts because the time difference needs to be greater than the first liquidation time, but it's not.

Impact

Users may face unexpected liquidation(collateral loss).
Malicious users may escape primary liquidation.

Tools Used

Manual Review

Recommendations

Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-270

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.