Skip to content

Latest commit

 

History

History
51 lines (29 loc) · 1.45 KB

097.md

File metadata and controls

51 lines (29 loc) · 1.45 KB

Small Shamrock Rook

High

Minting and burning nuAssets can be repeated to atomically reduce buy_fee_PID to zero

Summary

Minting nuAssets and burning nuAssets both call vaultManager.updateBuyFeePid() based on the NUMA amount minted or burned.

However, both of these use the vaultBuy=false parameter (since they are not vault buys), which causes them to reduce the buy_fee_PID.

This allows anyone to repeat minting and burning a nuAsset (delta-neutral) to reduce the buy_fee_PID to 0

vaultManager.updateBuyFeePID(_numaAmount, false);

(The above logic is used in both mintNuAsset() and burnNuAssetFrom())

Root Cause

Calling vaultManager.updateBuyFeePid() will decrease the buy_fee_PID in both cases.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. Burn NUMA to mint a nuAsset
  2. Mint NUMA by burning the nuAsset
  3. Repeat the above steps until buy_fee_PID is equal to zero
  4. Now, in the same transaction, we can liquidate many rETH borrowers since the vault buy price of NUMA has decreased significantly

Impact

buy_fee_PID can be atomically reduced to 0

Liquidation conditions can be achieved atomically, and the attacker can profit via the liquidation bonus

PoC

No response

Mitigation

No response