Debt created during mint is arbitragable #116
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
Comments
code423n4
added
2 (Med Risk)
Mathepreneur
added
sponsor confirmed
|
Duplicate from #187 |
|
moving to sev-3 to match dupe. |
0xean
added
3 (High Risk)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
hyh
Vulnerability details
Impact
The collateral requirements for debt positions created during mint and borrow operations differ. When the quantity of the asset added is low compared to current asset holdings of a pool, a LP has clear incentives to repay its debt right after mint and borrow the same amount of the asset with lower collateral requirements.
This will leave its liquidity shares intact, as repaying the debt doesn't spend them. The collateral in the same time will be freed up due to borrowers’ requirements being less restrictive.
Proof of Concept
BorrowMath.getCollateral scales additional collateral requirements, making them less for the cases when xDecrease < state.x – xDecrease, i.e. for the case of non-whale borrower its collateral requirement is decreased by xDecrease / (state.x – xDecrease):
https://github.com/code-423n4/2022-01-timeswap/blob/main/Timeswap/Timeswap-V1-Core/contracts/libraries/BorrowMath.sol#L72-77
MintMath.getCollateral does not scale the collateral requirement, placing flat 1.0 coefficient in the same formula:
https://github.com/code-423n4/2022-01-timeswap/blob/main/Timeswap/Timeswap-V1-Core/contracts/libraries/MintMath.sol#L100
Recommended Mitigation Steps
Consider bringing MintMath.getCollateral in line with BorrowMath.getCollateral for the low asset provision cases. For high asset provision cases it makes sense to avoid penalizing the LPs for bringing in more assets to the pool.
The text was updated successfully, but these errors were encountered: