Users are able to front-run bad debt settlements to avoid insurance costs #59
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/InsuranceFund.sol#L71-L75
https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/InsuranceFund.sol#L62-L69
Vulnerability details
Impact
A user is able to front-run the call to
seizeBadDebt()
inInsuranceFund.sol
to avoid paying the insurance costs.seizeBadDebt()
is called byMarginAccount.settleBadDebt()
which is a public function. When this functions is called the transaction will appear in the mem pool. A user may then callInsuranceFund.withdraw()
to withdraw all of their shares. If they do this with a higher gas fee it will likely be processed before thesettleBadDebt()
transaction. In this way they will avoid incurring any cost from the assets being seized.The impact is that users may gain their share of the insurance funding payments with minimal risk (minimal as there is a change the front-run will not succeed) of having to repay these costs.
Proof of Concept
Recommended Mitigation Steps
Consider making the withdrawals a two step process. The first step requests a withdrawal and marks the time. The second request processes the withdrawal but requires a period of time to elapse since the first step.
To avoid having users constantly having pending withdrawal, each withdrawal should have an expiry time and also a recharge time. The if the second step is not called within expiry amount of time it should be considered invalid. The first step must not be able to be called until recharge time has passed.
Another solution involves a design change where the insurance fund is slowly filled up over time without external deposits. However, this has the disadvantage that bad debts received early in the protocols life time may not have sufficient insurance capital to cover them.
The text was updated successfully, but these errors were encountered: