Skip to content

Latest commit

 

History

History
29 lines (23 loc) · 3.04 KB

061.md

File metadata and controls

29 lines (23 loc) · 3.04 KB

Orbiting Sangria Porpoise

Medium

Healthy debts can be liquidated by manipulating nuAsset price

Description

While calculating the LTV of a borrow, the protocol internally calls conversion functions like numaToToken() which goes on to calculate the backing i.e. the LST value in ETH using EthBalance - synthValueInEth where synthValueInEth is based on oracle price of the nuAsset (synthetic asset) fetched via getTotalSynthValueEth(). This gives rise to the following attack vector:

  1. Alice buys a large quantity of NUMA by depositing rEth in a vault.
  2. Bob buys some NUMA by depositing rEth in the vault.
  3. Bob mints cNuma by depositing NUMA in a lending contract.
  4. Against his cNuma, Bob borrows some rEth at LTV 78%. Max allowed is say, 80%. At this time let's say there are no synthetics minted.
  5. Alice commences her attack. She mints considerable nuAssets using her NUMA. The NUMA/rEth rate isn't drastically effected yet.
  6. Alice manipulates oracle rate of nuAsset by purchasing a huge amount of it on a LP pool. She can use a flash loan for funding. Even if TWAP prices are used, the impact is dampened but not mitigated.
    • It's important to note that getTotalSynthValueEth() is the total value of all nuAssets. The attack may even work better if multiple nuAssets exist. Now Alice can manipulate & hike the price of each nuAsset just enough to remain within limits (bypassing checks related to maxSpotOffset) and achieve an overall increase in synthValueInEth.
  7. This causes EthBalance - synthValueInEth to reduce considerably and hence rEth becomes significantly expensive than before when compared to NUMA.
  8. The rEth borrowed by Bob now is deemed to have a much higher value and pushes his LTV beyond the acceptable 80%.
  9. Alice liquidates Bob and is free to use the flashLoan = true route while doing so. She pockets the profit of liquidation.
  10. Alice sells the previously purchased nuAsset back on LP pool and returns any flash loans she may have taken, pushing oracle rates back down to normal.
  11. She can now burn her vault nuAssets too and get back NUMA. She may choose to also sell this NUMA and get rEth back from the vault now.

Impact

Healthy debts can be manipulated to be made unhealthy and liquidated by a malicious liquidator.

Recommendation

Couple of approaches the protocol could take:

  • Add circuit breakers that prevent liquidations if synthetic prices move beyond certain thresholds in a short time period
  • Implement time delays before liquidations are possible if LTV has moved up more than a threshold % within a short time