Proud Rusty Mantis
Medium
Upon debasing, we have the following calculation:
uint ndebase = ((blockTime - lastBlockTime) * debaseValue) / (deltaDebase);If the time passed is less than 4320, we round down to 0 (debaseValue is 20 and deltaDebase is 24 hours). However, there is the following check to handle such round downs:
if (ndebase <= 0) {
// not enough time has passed to get some debase, so we reset our time reference
blockTime = lastBlockTime;
}It resets the time to the last block time before the update. However, this can still be abused by a malicious actor by instead rounding to 1. It can also happen during normal conditions by users simply interacting with the protocol at certain times.
- Malicious user calls
VaultManager.getSynthScalingUpdate()or any other block time state updating function every$4320 * 2 - 1$ seconds - The
ndebasewill equal$(4320 * 2 - 1) * 20 / 86400 = 1,9997685185$ which rounds down to 1 - Instead of 2 debasing periods, there will only be 1 which causes the protocol to debase much slower than supposed to, which would keep the CF low and cause huge issues for the protocol
Synthetics will derate slower than intended, which will keep the CF low as users are not incentivized to sell them
Refactor the formula