DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

The maximum zeth tithe percentage should not exceed a percent equal to (1/initial margin)*100. Otherwise shorters could lose yield compared to just holding staked ETH.

happyformerlawyer

Summary

Ditto's documentation says that shorters are compensated for the risks they take on because they are given the yield of the zETH of the long user they matched with, allowing them to earn more than they would have just holding staked ETH. But the maximum zETH tithe percentage (which is taken from their yield) is 33%, which means they can lose up to a third of their yield, and the initial margin is 5x. By adding the collateral of the long user, they gain 20% more yield but with a zETH tithe of 33%, they may end up with less than if they just held staked ETH.

The maximum zeth tithe percentage should take the minimum initial margin into account. It should be no more than (and probably should be less than, if you want to incentivize people to short) a percentage equal to (1/initial minimum margin) * 100.

Vulnerability Details

This function is OwnerFacet.sol allows the tithe to be as high as 33.33%:

function _setTithe(uint256 vault, uint16 zethTithePercent) private {
if (zethTithePercent > 33_33) revert Errors.InvalidTithe();
s.vault[vault].zethTithePercent = zethTithePercent;
}

This function in LibAsset.sol sets initial minimum margin to 5:

// default of 5 ether, stored in uint16 as 500
// range of [1-10],
// 2 decimal places, divide by 100
// i.e. 123 -> 1.23 ether
// @dev cRatio that a short order has to begin at
function initialMargin(address asset) internal view returns (uint256) {
AppStorage storage s = appStorage();
return (uint256(s.asset[asset].initialMargin) * 1 ether)
/ Constants.TWO_DECIMAL_PLACES;
}

Impact

Currently this is not an issue because zeth tithe is set to 10%, but owner could always change it. User should also be aware that the owner could have it set to 10% now but increase it higher later, such that they are now losing yield compared to just holding staked ETH (especially because you are taking on a lot of additional risk placing your staked ETH into another contract). The impact of this issue is that people may hesitate to short on Ditto, especially if the zeth tithe is near or above a percentage equal to (1/initial minimum margin) * 100. If people don't short on Ditto, then no pegged assets will be created, and there won't be much liquidity on the exchange.

Tools Used

Manual review

Recommendations

Make the maximum zeth tithe percentage equal to less than (1/initial minimum margin)*100. You could also consider updating it automatically whenever initial minimum margin is increased.

Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Admin Input/call validation
happyformerlawyer Submitter
almost 2 years ago
0xnevi Lead Judge
almost 2 years ago
happyformerlawyer Submitter
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Admin Input/call validation

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.