Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spare Jetblack Fish - treasury.updateYieldsFromLiquidatedLrts() updates the yield in the current chain, but collateral may be in the other chain #1052

Open
sherlock-admin2 opened this issue Dec 30, 2024 · 1 comment
Open

Spare Jetblack Fish - treasury.updateYieldsFromLiquidatedLrts() updates the yield in the current chain, but collateral may be in the other chain #1052

sherlock-admin2 opened this issue Dec 30, 2024 · 1 comment
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin2
Copy link
Contributor

Spare Jetblack Fish

High

treasury.updateYieldsFromLiquidatedLrts() updates the yield in the current chain, but collateral may be in the other chain

Summary

treasury.updateYieldsFromLiquidatedLrts() updates the yield from liquidated collateral in the current chain, but this collateral could have been present in the other chain. As such, it will allow the protocol to withdrawal yields that it should not in the current chain, which means other deposited collateral may not be withdrawn due to having been allocated as yield instead.

Root Cause

In CDSLib::667, the treasury is updated with liquidated collateral yield, but this yield may be present in the other chain.

Internal pre-conditions

None.

External pre-conditions

None.

Attack Path

  1. Borrower is liquidated in chain B.
  2. Some time passes and a cds depositor in chain A withdraws a part of the collateral, and updates the treasury with yield generated.
  3. The yield generated is not actually present in chain A, and is in chain B instead, so it will add yield to the treasury that is not actually backed in chain A.
  4. Protocol withdraws the yield in chain A, which is taken from other borrower deposits, who may not be able to withdraw due to lack of liquidity (or similar).

Impact

Lack of funds in chain A, leading to DoSed withdrawals.

PoC

None.

Mitigation

The yields should always be set in the chain that the liquidation happened and the collateral is held.
@sherlock-admin3 sherlock-admin3 added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Jan 27, 2025
@sherlock-admin2
Copy link
Contributor Author

The protocol team fixed this issue in the following PRs/commits:
https://github.com/Autonomint/Blockchain/pull/15

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3