Skip to content

Latest commit

 

History

History
66 lines (45 loc) · 2.33 KB

068.md

File metadata and controls

66 lines (45 loc) · 2.33 KB

Low Tangerine Cod

High

double deduction of optionsFeesToGetFromOtherChain on user withdraw

Summary

optionsFeesToGetFromOtherChain being added instead of deducted from totalCdsDepositedAmountWithOptionFees

Root Cause

Here params.optionsFeesToGetFromOtherChain is being substracted from totalCdsDepositedAmountWithOptionFees

                    totalCdsDepositedAmountWithOptionFees -= (params.cdsDepositDetails.depositedAmount - params.cdsDepositDetails.liquidationAmount + params.optionsFeesToGetFromOtherChain);

Blockchian/contracts/lib/CDSLib.sol#L731 params.optionsFeesToGetFromOtherChain is a value that later would be deducted on another chain here:

        cds.updateTotalCdsDepositedAmountWithOptionFees(uint128(oappData.optionsFeesToRemove + oappData.cdsAmountToRemove + oappData.liqAmountToRemove));//all others 0
       
        ...

 function updateTotalCdsDepositedAmountWithOptionFees(
       uint128 _amount
   ) external onlyGlobalOrLiquidationContract {
       // If the totalCdsDepositedAmountWithOptionFees is non zero
       if (totalCdsDepositedAmountWithOptionFees != 0) {
           totalCdsDepositedAmountWithOptionFees -= _amount;
       }
   }

This means in total from both chains:

$$ totalCdsDepositedAmountWithOptionFees -= (depositedAmount - liquidationAmount + 2 * optionsFeesToGetFromOtherChain) $$

Internal pre-conditions

none

External pre-conditions

none

Attack Path

always happening

Impact

Some cds holder will not be able to withdraw their funds due to the fact that totalCdsDepositedAmountWithOptionFees will be less than the amount they want to withdraw with broken accounting

PoC

No response

Mitigation

Deduct like its done in the rest of the project

                    // update totalCdsDepositedAmountWithOptionFees
-                    totalCdsDepositedAmountWithOptionFees -= (params.cdsDepositDetails.depositedAmount - params.cdsDepositDetails.liquidationAmount + params.optionsFeesToGetFromOtherChain);
+                    totalCdsDepositedAmountWithOptionFees -= (params.cdsDepositDetails.depositedAmount - params.cdsDepositDetails.liquidationAmount - params.optionsFeesToGetFromOtherChain);