Omniscia Euler Finance Audit
Governance Manual Review Findings
Governance Manual Review Findings
GEC-01M: Potentially Weak Validation of Caps
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | Governance.sol:L263, L266 |
Description:
The Governance::setCaps function will apply sanitization on the input supplyCap and borrowCap values, however, it will fail to ensure that non-zero caps result in non-zero representations in the AmountCap mantissa system.
Impact:
As the Governance::setCaps function is a governor-controlled function, we consider calls reviewed and thus do not anticipate this misconfiguration to manifest in production.
Example:
259/// @inheritdoc IGovernance260function setCaps(uint16 supplyCap, uint16 borrowCap) public virtual nonReentrant governorOnly {261 AmountCap _supplyCap = AmountCap.wrap(supplyCap);262 // Max total assets is a sum of max pool size and max total debt, both Assets type263 if (supplyCap > 0 && _supplyCap.toUint() > 2 * MAX_SANE_AMOUNT) revert E_BadSupplyCap();264
265 AmountCap _borrowCap = AmountCap.wrap(borrowCap);266 if (borrowCap > 0 && _borrowCap.toUint() > MAX_SANE_AMOUNT) revert E_BadBorrowCap();267
268 vaultStorage.supplyCap = _supplyCap;269 vaultStorage.borrowCap = _borrowCap;270
271 emit GovSetCaps(supplyCap, borrowCap);272}Recommendation:
We advise the code to ensure that the _supplyCap.toUint() and _borrowCap.toUint() calculations result in a non-zero value when the respective input arguments are non-zero, preventing non-zero exponents with a zero value to be specified in the function.
Alleviation (fb2dd77a6ff9b7f710edb48e7eb5437e0db4fc1a):
The Euler Finance team evaluated this exhibit and clarified that a zero-value mantissa with a non-zero exponent is considered a valid configuration of the cap as 0, whereas a zero mantissa and zero exponent is considered a valid configuration of the cap as unlimited.
Based on this fact and the additional documentation introduced around this mechanism, we consider the original exhibit inapplicable as it describes desirable behaviour.
GEC-02M: Insecure Clearance of LTV
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | Governance.sol:L225-L230 |
Description:
The Governance::clearLTV function will permit an LTV to be cleared via the LTVConfigLib::clear function which will set the targetTimestamp to 0. In turn, this will cause the collateral to no longer be recognized permitting debt socialization as well as immediate liquidations on positions that relied on the cleared collateral.
Impact:
The present Governance::clearLTV function cannot be executed without affecting users negatively, and requires a redesign to function as expected.
Example:
224/// @inheritdoc IGovernance225function clearLTV(address collateral) public virtual nonReentrant governorOnly {226 uint16 originalLTV = getLTV(collateral, LTVType.LIQUIDATION).toUint16();227 vaultStorage.ltvLookup[collateral].clear();228
229 emit GovSetLTV(collateral, 0, 0, 0, originalLTV);230}Recommendation:
We advise the Governance::clearLTV function to be revised, as the governance-based time delay may be insufficient in recovering positions back to a healthy state until the proposal is executed.
As potential remediations, we advise the function to be omitted entirely and the Governance::setLTV function to be utilized with an ltv of 0, permitting LTV to gradually lower to 0. Alternatively, we advise user positions that have a collateral which had its LTV cleared recently to be "immune" to liquidations for a brief window to permit those users to react to the event and re-stabilize their positions.
Alleviation (fb2dd77a6ff9b7f710edb48e7eb5437e0db4fc1a):
The Euler Finance team evaluated this exhibit and clarified that the GovernanceModule::clearLTV function is an emergency mechanism that behaves precisely as described deliberately so as to protect against critical security threats that malicious collateral may pose within the EVK.
Documentation was introduced that further clarifies the purpose of the Governance::clearLTV function, and as such we consider this exhibit to be inapplicable given that it describes business-requirement aligned code functionality.