You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 7, 2024. It is now read-only.
sherlock-admin opened this issue
Jul 3, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
In an ongoing auction, additional collateral is added with each debt seizure, and it is subsequently sold at the prevailing auction price. The ongoing auction price can significantly deviate from the the fair value when low quantities are being auctioned.
Vulnerability Detail
The auction begins at the market price and gradually decreases to 0.
This system can be exploited by an attacker who manipulates an ongoing auction and then triggers a new auction at the stale price by calling settleBadDebt.
Here is an example of an ETH Auction scenario:
The market price of ETH is 1000 USD
Attacker purchases all but 1 Wei from the ongoing auction
The auction price decreases to 1 USD as no other bidders are willing to bid, since transaction costs outweighing potential profit.
Attacker calls settleBadDebt, injecting an additional 10 ETH into the auction.
Attacker acquires 10 ETH at 1 USD each, which is significantly below the market price.
Impact
The insurance fund and all insurance stakers generate a loss as they sell their seized collateral at a price that is significantly below the market price.
The core issue is that an auction can become stale when not enough collateral is being auctioned off. This can be avoided by setting a minimum size for each collateral type added as margin.
Further we must add a check to the buyCollateralFromAuction function to verify that the bidder either buys the full amount of collateral or keeps enough funds in the ongoing auction to attract bidders:
function buyCollateralFromAuction(address token, uint amount) override external {
Auction memory auction = auctions[token];
// validate auction
require(_isAuctionOngoing(auction.startedAt, auction.expiryTime), "IF.no_ongoing_auction");
// transfer funds
uint vusdToTransfer = _calcVusdAmountForAuction(auction, token, amount);
address buyer = _msgSender();
vusd.safeTransferFrom(buyer, address(this), vusdToTransfer);
IERC20(token).safeTransfer(buyer, amount); // will revert if there wasn't enough amount as requested
+ // auction must be liquid enough to attract bidders+ uint256 tokenRemaining = IERC20(token).balanceOf(address(this));+ require(tokenRemaining == 0 ||+ _calcVusdAmountForAuction(auction, + token, tokenRemaining) > 10e6)
// close auction if no collateral left
if (IERC20(token).balanceOf(address(this)) == 0) {
auctions[token].startedAt = 0;
}
}
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
0x3e84fa45
medium
Collateral can be auctioned off at stale price
Summary
In an ongoing auction, additional collateral is added with each debt seizure, and it is subsequently sold at the prevailing auction price. The ongoing auction price can significantly deviate from the the fair value when low quantities are being auctioned.
Vulnerability Detail
The auction begins at the market price and gradually decreases to 0.
This system can be exploited by an attacker who manipulates an ongoing auction and then triggers a new auction at the stale price by calling
settleBadDebt
.Here is an example of an ETH Auction scenario:
settleBadDebt
, injecting an additional 10 ETH into the auction.Impact
The insurance fund and all insurance stakers generate a loss as they sell their seized collateral at a price that is significantly below the market price.
Code Snippet
https://github.com/sherlock-audit/2023-04-hubble-exchange/blob/main/hubble-protocol/contracts/InsuranceFund.sol#L167-L168
https://github.com/sherlock-audit/2023-04-hubble-exchange/blob/main/hubble-protocol/contracts/InsuranceFund.sol#L184
Tool used
Manual Review
Recommendation
The core issue is that an auction can become stale when not enough collateral is being auctioned off. This can be avoided by setting a minimum size for each collateral type added as margin.
Further we must add a check to the
buyCollateralFromAuction
function to verify that the bidder either buys the full amount of collateral or keeps enough funds in the ongoing auction to attract bidders:Duplicate of #168
The text was updated successfully, but these errors were encountered: