# [2024-01 - Ethereum Credit Guild ] Pre-sorting **Contest repo:** https://github.com/code-423n4/2023-12-ethereumcreditguild **Findings repo:** https://github.com/code-423n4/2023-12-ethereumcreditguild-findings **Judging by:** [TrungOre](https://twitter.com/Trungore) (Discord: `trungore`) **Pre-sorting by:** [sorryNotsorry](https://twitter.com/0xSorryNotSorry) (Discord: `0xsorrynotsorry`) # High Severity Primary Submissions (50) ## [[H-1213] Users loose all GUILD tokens voted for a gauge by forced loss](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1213) ## [[H-1211] New user is able to gain ALL rewards since protocol launch](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1211) ## [[H-1208] All rewards are lost with moderate amount of GUILD tokens voted for a gauge](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1208) ## [[H-1182] Loans with a minimum borrowing amount can not be partially repaid](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1182) ## [[H-1173] Liquidators can short credit tokens via PSM contract for massive profits.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1173) ## [[H-1170] `totalBorrowedCredit` can revert, breaking gauges.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1170) ## [[H-1166] PnL system can be broken by large users intentionally or unintentionally.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1166) ## [[H-1164] `surplusGuildMinter.sol`:`getRewards` uses bad value for userStake](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1164) ## [[H-1147] Replay attack to suddenly offboard the re-onboarded lending term](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1147) ## [[H-1141] Re-triggering the `canOffboard[term]` flag to bypass the DAO vote of the lending term offboarding mechanism](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1141) ## [[H-1125] Lending term can be permanently DoS(ed) from being onboarded](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1125) ## [[H-1100] Reward distribution calendar isn't correctly implemented, and can be disturbed for almost no cost ### Math](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1100) ## [[H-1069] CreditMultiplier is not applied to `creditAsked` when a bid for an active auction is placed. This can reduce the creditMultiplier and thus the value of creditToken holders.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1069) ## [[H-1039] Attacker Can Take a Loan and Retrieve Their Full Collateral on Auction Without Repaying the Debt](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1039) ## [[H-1014] Unable to change the auction house if forgive() is called by the governor on an auctioned loan](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1014) ## [[H-1001] Wrong ProfitManager in GuildToken, will always revert for other types of gauges leading to bad debt](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1001) ## [[H-994] Malicious borrower can decrease Guild holders reward](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/994) ## [[H-991] Anyone can steal all distributed rewards](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/991) ## [[H-957] Protocol is incompatible with PEG Tokens with >18 decimals](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/957) ## [[H-956] getRewards - users who slashed but not unstaked yet still can receive new rewards](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/956) ## [[H-937] Updating MintRatio can lead to out of sync reward values](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/937) ## [[H-936] A malicious user can borrow more than the amount of `creditToken` which the protocol allows.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/936) ## [[H-925] Lack of the slippage protection for the amountOut of the CREDIT to be minted, which lead to a huge slippage loss for a lender](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/925) ## [[H-907] [H-6] Borrowers will pay less interest due to Precision loss in the `interest` repayable by users in the LendingTerm.sol](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/907) ## [[H-877] Guild token holders can avoid loss using front-run.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/877) ## [[H-828] Borrowing is allowed even when there is no liquidity, exposing the borrower to unjustified fee payments](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/828) ## [[H-817] When minting new CreditTokens if the account is rebasing and unminted rewards are minted to the account, the total unminted rewards won't be considered to compute the number of rebasing shares owned by the account](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/817) ## [[H-786] Minting credit tokens before `creditMultiplier` is updated down and redeeming for underlying tokens after `creditMultiplier` is updated down would cause an underlying token amount that is a part of `pegTokenBalance` to always remain in `SimplePSM` contract and be lost](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/786) ## [[H-783] Calling `LendingTerm._partialRepay` function can cause borrower to lose credit tokens used for partial repayment and fail to receive proportional collateral amount for corresponding loan if borrower becomes unable to make more partial repayments](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/783) ## [[H-782] Borrowers of loan term, which does not require interest or opening fee but does require partial repayments, who can only afford to repay partially, can lose their collaterals](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/782) ## [[H-764] The ProfitManager::withdrawFromSurplusBuffer() function is only callable by the GUILD_SURPLUS_BUFFER_WITHDRAW role, such role is granted only to the SurplusGuildMinter contract, and that contract doesn't call this function anywhere](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/764) ## [[H-747] [H-02]:`ERC20RebaseDistributor._shares2balance()`: User can permanently lose rebasing savings rewards](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/747) ## [[H-720] The first user can manipulate the debt ceiling.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/720) ## [[H-709] Rounding issue in "Profit Sharing Config" calculation leads to incorrect (higher) credit split](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/709) ## [[H-685] Auction manipulation by block stuffing and reverting on ERC-777 hooks](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/685) ## [[H-484] Should use targetTotalSupply() instead of totalSupply() when calculating creditMultiplier](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/484) ## [[H-453] A malicious user can enter rebase with their CREDIT and then redeem their credit but continue earning rebase rewards indefinitely](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/453) ## [[H-451] Slashed stakers from SurplusGuildMinter will receive extra rewards stealing them from other stakers](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/451) ## [[H-450] Gauge voters won’t be slashed if they vote for a term in the same block it accrues bad debt](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/450) ## [[H-370] Inability to offboard term twice in a 7-day period may lead to bad debt to the market](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/370) ## [[H-335] RateLimitedMinter isn't used by SimplePSM resulting in Goverance attacks](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/335) ## [[H-313] Borrower may redeem Credit tokens in PSM without paying the interest](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/313) ## [[H-292] ProfitManager's "creditMultiplier" calculation does not count undistributed rewards; this can cause value losses to users](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/292) ## [[H-269] Unsafe ERC20MultiVotes logic allows attackers to use flashloans to manipulate governance proposals](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/269) ## [[H-264] Potentially disenfranchised people can retain their voting rights and influence governance](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/264) ## [[H-262] claimGaugeRewards - users who have not yet apply loss still can receive new rewards](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/262) ## [[H-260] ERC20RebaseDistributor.updateTotalRebasingShares logic is incorrect, resulting in broken core invariant](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/260) ## [[H-223] Anyone can claimRewards on behalf of other users causing them to get lesser rewards if GaugeProfitIndex increased](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/223) ## [[H-179] First Credit token minter acquires all future rewards when underlying token decimals=18](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/179) ## [[H-153] There is no way to liquidate underwater loans](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/153) # Medium Severity Primary Submissions (62) ## [[M-1270] Users can miss out on rebasing credit token rewards](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1270) ## [[M-1269] Incorrect constant used in deployment script](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1269) ## [[M-1253] No check for sequencer uptime can lead to dutch auctions failing or executing at bad prices](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1253) ## [[M-1249] Inability to withdraw funds for certain users due to `whenNotPaused` modifier in `RateLimitedMinter`](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1249) ## [[M-1245] Failed transfers in `LendingTerm.onBid()` will lead to protocol loss](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1245) ## [[M-1231] The `term` can be `re-onboarded` using a not allowed implementation](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1231) ## [[M-1226] Missing whenNotPaused modifier for redeem](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1226) ## [[M-1220] Callers can prevent `setAuctionHouse` happening](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1220) ## [[M-1217] ERC20RebaseDistributor : burn an be DOSed due to underflow issue.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1217) ## [[M-1214] Offboarded terms can still update PnL and mint credit tokens](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1214) ## [[M-1179] First minter of a gauge can mint more tokens than designed](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1179) ## [[M-1178] Users can avoid Gauge losses by following auctionhouse events.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1178) ## [[M-1124] Calculations in `LendingTerm._partialRepay` function contain divisions before multiplications](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1124) ## [[M-1110] Denial-of-service issue on `SurplusGuildMinter::getRewards()`](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1110) ## [[M-1103] CREDIT tokens can be stuck permanently and gradually dilute the value of the token](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1103) ## [[M-1101] `Redemptions` may not be paused properly leading to users being able to withdraw during `offboarding`](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1101) ## [[M-1057] There is no way to liquidate a position if it breaches maxDebtPerCollateralToken value creating bad debt.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1057) ## [[M-1053] ERC20Upgradeable collateral will brick the CREDIT token minting](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1053) ## [[M-1041] Repayers using EOA accounts can be affected if baddebt is generated when they are repaying loans](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1041) ## [[M-1032] Users can deflate other markets Guild holders rewards by staking less priced token](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/1032) ## [[M-999] 0% or very low percentage opening fee lending terms open a feasible DoS/griefing/sandwich attack vector on opening new loans](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/999) ## [[M-998] The `hardcap` is not reset in the `AuctionHouse::forgive`](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/998) ## [[M-941] In dual-gauge systems, all borrows will be bricked on both terms when the terms' calculated `debtCeilings` are equal, and will only be further allowed under specific, restrictive, conditions](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/941) ## [[M-939] SurplusGuildMinter.setRewardRatio will mess up guildReward](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/939) ## [[M-910] Zeroing term surplus buffer can cause inability to unstake funds](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/910) ## [[M-904] Resetting share prices if rebasing supply goes to 0 might cause a loss of rewards](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/904) ## [[M-886] When a loan is forgiven, the notified loss does not include accrued interest.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/886) ## [[M-885] When only one gauge of a type exist, removing that gauge may result in the user not being able to decrement that gauge.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/885) ## [[M-880] debtCeiling uses incorrect totalWeight in calculation](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/880) ## [[M-878] When gauge loss occurs, applyGaugeLoss may fail due to exceeding the debt ceiling](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/878) ## [[M-858] In single gauge systems, the `debtCeiling()` calculation is faulty, resulting in stakers getting prematurely locked into a gauge as soon as its utilized debt allocation goes above ``50%``](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/858) ## [[M-827] Deprecated gauges will cause active gauges to be unable to retrieve rewards](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/827) ## [[M-816] Use of hardcoded, possibly incorrect time constants.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/816) ## [[M-742] When the `CreditMultiplier` goes down the minimum size of CREDIT loans needs to increase](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/742) ## [[M-729] Loans inguage with zero guages are not callable for auctioning](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/729) ## [[M-707] ERC20MultiVotes.sol#_incrementDelegation() - If the contract has maxDelegates == 0 and only allows contracts to vote through canContractExceedMaxDelegates, an existing delegate can still get his voting power incremented](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/707) ## [[M-700] A borrower who repay the partial amount of the loan would force to pay the `openingFee` **several times**](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/700) ## [[M-678] Distribute() function incorrectly takes the `_totalRebasingShares` instead of `_rebasingSupply`](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/678) ## [[M-674] SurplusGuildMinter minting ration should be adjusted with credit multiplier](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/674) ## [[M-651] The gauge status wasn't checked before reducing the user's gauge weight.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/651) ## [[M-644] Signature can be forged for random addresses](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/644) ## [[M-625] When loan repayment occurs, the amount reported to `RateLimitedMinter::replenishBuffer()` may be erroneous, causing an accelerated `bufferStored` growth](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/625) ## [[M-597] SurplusGuildMinter define MIN_STAKE constant to 1e18, which is large amount for minimum, if protocol wants to support gWETH](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/597) ## [[M-580] SurplusGuildMinter.unstake should replenish buffer in case of slashing](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/580) ## [[M-576] The lack of counter-veto about veto allows to veto with a small number of votes(much smaller than 51%), which can lead to DoS of governance](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/576) ## [[M-560] RateLimitedMinter is not correctly replenished in case of bad debt](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/560) ## [[M-555] GIP_0 proposal uses wrong BLOCKS_PER_DAY constant](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/555) ## [[M-543] User can still borrow after the loss is incurred in a gauge.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/543) ## [[M-477] The first borrower is able to borrow the full debt allocation of a system despite the full debt allocation being divided amongst multiple gauges](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/477) ## [[M-475] Over 90% of the Guild staked in a gauge can be unstaked, despite the gauge utilizing its full debt allocation](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/475) ## [[M-351] The `Stake()` & `unstake()` functions in `SurplusGuildMinter` incorrectly calls `incrementGauge()` & `decrementGauge()`](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/351) ## [[M-343] A lender can front run the setRedemptionsPaused function to withdraw a disproportionate amount of the pool](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/343) ## [[M-333] Gauge's weight will still take effect in markets where there is only one term.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/333) ## [[M-301] redeemableCredit() in PSM is incorrectly calculated, resulting in an incorrect totalBorrowedCredit()](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/301) ## [[M-294] Rounding errors can cause ERC20RebaseDistributor transfers and mints to fail for underflow](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/294) ## [[M-293] ERC20MultiVotes _decrementVotesUntilFree does not handle partial un-delegations](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/293) ## [[M-275] Failure to reference credit multiplier in SurplusGuildMinter staking results in guild voting power obtained from staking requiring less underlying value](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/275) ## [[M-250] No progression state can be easily reached](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/250) ## [[M-248] There's a case of precision loss in SurplusGuildMinter::getRewards](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/248) ## [[M-203] Certain rewards may be allocated to the SurplusGuildMinter, but users are unable to claim them.](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/203) ## [[M-152] Infinite loop in `ERC20Gauges::_decrementWeightUntilFree` when one of the user's gauges has a zero weight](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/152) ## [[M-143] Some borrowers won't be incentivised to pay their loans](https://github.com/code-423n4/2023-12-ethereumcreditguild-findings/issues/143)