DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Certain user's may be able to leverage short order fills to delay primary liquidation on 254th

hash

Vulnerability Details

When a partially filled short order gets filled again, the updatedAt timestamp of the associated short record is updated which resets the time required for primary liquidation even if the collateral ratio is below the liquidation threshold.

function fillShortRecord(

address asset,

address shorter,

uint8 shortId,

SR status,

uint88 collateral,

uint88 ercAmount,

uint256 ercDebtRate,

uint256 zethYieldRate

) internal {

// more code

// @audit the time is updated

LibShortRecord.merge(

short,

ercAmount,

ercDebtSocialized,

collateral,

yield,

LibOrders.getOffsetTimeHours()

);

https://github.com/Cyfrin/2023-09-ditto/blob/a93b4276420a092913f43169a353a6198d3c21b9/contracts/libraries/LibShortRecord.sol#L153-L181

Although ordinary short records have one-to-one mapping with short orders, the short record at id == 254, can have multiple short orders associated with it. This can make it possible for some type of user's to keep a calculated low collateral ratio and offset the primary liquidation through the creation of short orders.
If the account is an entity that manages shorting/funds of several people, it can park the first 253 slots and make its regular short openings via id == 254 hence resetting the updatedAt frequently making primary liquidations not possible.

Cost calculation

minBid eth : .001

cratio max : 15

minShort : 2000

Short for 2000 usd at 5x initial margin and exit leaving minBid amount in ShortRecord => collateral per short record == 0.005 eth

Overcollateralize by 3 times to prevent liquidation on these orders => 0.015 eth

To park 252 short orders: 252 * 0.015 = 3.78 eth

Gas to create short 252 times and exit short wallet 252 times : (102596 + 44613) * 252 == 37096668

Considering gas to be 100gwei, gas cost => ( 37096668 * 100000000000 / 1e18 ) == 3 eth

Considering eth == 1700 usd,

Total cost = 1700 * 6.78 == 11526 usd

Impact

Some users may be able to sustain a collateral ratio < primary liquidation threshold for a long time.

Recommendations

If deciding to mitigate this issue, a separate mapping could be created containing the flag times for each shortRecord.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-270

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.