Summary

An important incentive in this system is to encourage users to create short and bid orders which stay on the books by issuing them DITTO rewards. The issue is that the maximum amount of DITTO rewards earnable by users is so exceptionally low that realistically this incentive system is completely broken and no users will be incentivized by it.

Vulnerability Details

Consider the implementation for calculating how much DITTO rewards to mint a user, which is calculated in the claimDittoMatchedReward function of the YieldFacet contract:

Effectively, to calculate the total amount of DITTO rewards to mint across all users who earned rewards, it does the following calculation: uint256 totalReward = Vault.dittoMatchedReward + elapsedTime * 1 days * Vault.dittoMatchedRate;. Vault.dittoMatchedReward simply caches the existing owed rewards, so we can ignore it for this discussion. Therefore, totalRewards is effectively equal to (elapsed time in seconds from approx. creation of the vault) * Vault.dittoMatchedRate.

In the OwnerFacet contract, we can see that Vault.dittoMatchedRate must be <= 100:

Let's assume there's only one user who has dittoMatchedShares for now (meaning they will receive all rewards) and that Vault.dittoMatchedRate = 100. This effectively means 1e2 DITTO is minted per second, and that user will receive all these rewards.

Consider the amount of time it takes to mint 1e18 DITTO (which is the precision of this token) = 1e18/1e2 seconds = 115740740741 days. This is the most optimistic amount of time to earn a single DITTO token, which unless DITTO is valued astronomically high, these rewards will not incentivize any users.

Impact

The incentive system to prompting limitBid and limitShort orders through the dittoMatchedShares is completely broken and no users will be incentivized.

Tools Used

Manual review

Recommendations

The dittoMatchedRate should be set as a significantly higher number.