Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fantastic Taupe Tortoise - liquidationType2 will self DOS due to lack of ETH #1056

Open
sherlock-admin4 opened this issue Dec 30, 2024 · 1 comment
Open

Fantastic Taupe Tortoise - liquidationType2 will self DOS due to lack of ETH #1056

sherlock-admin4 opened this issue Dec 30, 2024 · 1 comment
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin4
Copy link

Fantastic Taupe Tortoise

Medium

liquidationType2 will self DOS due to lack of ETH

Summary

ETH is not pulled from the treasury to turn into sUSD.
Although it's in a payable function, the ETH is inside the treasury contract and admin doesn't have access directly to take ETH out and send via msg.value, it has to be pulled internally from treasury when calling liquidation

Root Cause

lack of ETH movement from treasury into borrowLiquidation contract. So, borrowLiquidation.liquidationType2 will fail.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

When liquidating type 2, the Eth in value is turned into WETH, and then ot is turned into sETH from synthetix.
Then the sETH is turned into sUSD and this amount is used to liquidate.

But the issue is liquidationType2 on BorrowLiqudiation contract lacks the ETH in it. Although its in a payable function, the ETH is inside the treasury contract and admin doesn't have access directly to take ETH out and send via msg.value, it has to be pulled from treasury and continue the steps to swap into sUSD.

borrowLiquidation.liquidationType2

    function liquidationType2(
        address user,
        uint64 index,
        uint64 currentEthPrice
    ) internal {

//////////////////////////////////////
/////////////////////////////////////
        uint256 amount = BorrowLib.calculateHalfValue(depositDetail.depositedAmountInETH);
        // Convert the ETH into WETH
    @>  weth.deposit{value: amount}();
        // Approve it, to mint sETH
        bool approved = weth.approve(address(wrapper), amount);
        if (!approved) revert BorrowLiq_ApproveFailed();

        // Mint sETH
        wrapper.mint(amount);
        // Exchange sETH with sUSD
        synthetix.exchange(
            0x7345544800000000000000000000000000000000000000000000000000000000,
            amount,
            0x7355534400000000000000000000000000000000000000000000000000000000
        );

        // Calculate the margin
        int256 margin = int256((amount * currentEthPrice) / 100);
        // Transfer the margin to synthetix
        synthetixPerpsV2.transferMargin(margin);

        // Submit an offchain delayed order in synthetix for short position with 1X leverage
        synthetixPerpsV2.submitOffchainDelayedOrder(
            -int((uint(margin * 1 ether * 1e16) / currentEthPrice)),
            currentEthPrice * 1e16
        );
    }

Impact

liquidationType2 is DOS, broken functionality

PoC

No response

Mitigation

move ETH from the treasury to BorrowLiquidation
@sherlock-admin3 sherlock-admin3 added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Jan 27, 2025
@sherlock-admin2
Copy link
Contributor

The protocol team fixed this issue in the following PRs/commits:
https://github.com/Autonomint/Blockchain/pull/15

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sherlock-admin2 @sherlock-admin3 @sherlock-admin4