Protocol doesn't handle vault loss.

[code423n4]

Lines of code

https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos-Core/contracts/ActivePool.sol#L251

Vulnerability details

Description

Ethos core contracts are not designed to deal with losses. This is because vaults invest in strategies that are not designed to lose money.

Impact/POC

Globally, this system doesn't handle losses, but let's take an example to show why this is critical:

Let's say a vault strategy is hacked and 10% of the total collateral disappears.

This assignment will now revert every time _rebalance() is called : ActivePool.sol#L251

vars.profit = vars.sharesToAssets.sub(vars.currentAllocated);

Now sharesToAssets < currentAllocated. Because we try to assign a negative value to an uint , _rebalance will now always revert making the system DOS :

In BorrowerOperations 100% DOS

• openTrove
• closeTrove
• _adjustTrove
• addColl, withdrawColl
• withdrawLUSD, repayLUSD
  In TroveManager 80% DOS
• liquidateTroves
• batchLiquidateTroves
• redeemCloseTrove

This will probably trigger fear in users and they will start selling their LUSD on the secondary markets causing a depeg. Probably nobody will want to buy back LUSD since the system is DOS users are no longer incentivises to maintain the peg.

Note that a hack or bug in a strategy that results in a loss of funds of just a few basis points can trigger this massive DOS.

With 2 examples we will figure out why this is really concerning

1st scenario (the repairable one) :

Context : TVL = 1 000 000 ; lossPercentage = 0.01% ⇒ loss = 10 000$

Here 10k have been hacked from a strategy. The loss is small but the protocol DOS anyway. The Ethos team can fix the protocol by manually sending 10k$ of the underlying collateral to the vault that has been hacked in order artificially increase the share price.

Impact : protocol DOS during 1 day and Ethos loss 10 000$

2nd scenario :

Context : TVL = 1B ; lossPercentage = 10% ⇒ loss = 100M$

Now the team will have to send 100M to the vault to repair the protocol. If they never find the money the other 900M$ will be stuck in the protocol forever. Making users lose 100% of their investment instead of only 10%.

Mitigation

This scenario needs to be handled properly.

A safer system would be to spread the loss over all investors.

If we take the example above, everyone loses 10%. The TCR will fall, causing some troves to be liquidated. If the loss is greater than 10%, some troves may be underwater. Liquidity providers of stability pool will absorb the loss, but at least the integrity of the system is maintained and the LUSD remains pegged.

Even though the strategies invested in are the safest in the industry, I think it's worth implementing a loss-handling mechanism to ensure that the protocol remains robust over time.

[c4-judge]

trust1995 marked the issue as duplicate of #747

[c4-judge]

trust1995 marked the issue as satisfactory

[c4-judge]

trust1995 changed the severity to 2 (Med Risk)