Multi-collateral loans bug disclosure
Last week a bug in the recent multi-collateral loans release was discovered. The issue resulted in some loans being flagged for total liquidation when only partial liquidation was required. This post will provide a general overview, but for a more comprehensive explanation please see the recently published Github issue.
The bug was disclosed privately by the team at Marqet Exchange — Synthetix will award Marqet a bug bounty for its discovery and disclosure.
If you have taken out a multi-collateral loan or an sUSD short, please see the ‘Action required’ section below for further steps.
As usual, the multi-collateral loans mechanism was fully audited, with the audit report from Iosiro available to read online. We will be coordinating with the Iosiro team on the remediation process to minimise the chance of similar issues in future releases.
The bug results in some multi-collateral loans being flagged incorrectly for full liquidation when only partial liquidation is required.
Normal loans for borrowing sUSD against ETH or renBTC are not vulnerable, since both values are denominated in sUSD. Loans such as sETH against ETH or sBTC against renBTC are vulnerable, however they are protected from movements in their Collateralisation Ratios and therefore can only become at risk over longer time periods due to interest fees accruing.
The most vulnerable positions are sUSD shorts, since the shorts are denominated in sBTC/sETH and the Collateralisation Ratios of these positions vary with the BTC and ETH prices.
The pDAO has paused the ability to open new positions using the multi-collateral contract. At the time of this post all open positions had been safely closed.
New contracts will be deployed in our next release, Castor, which is planned for this week.
We recommend closing loans backed by ETH and renBTC, regardless of the currency that was borrowed. For loans taken out in sETH or sBTC, the risk is that over time the loan will accrue enough interest to make it under-collateralised. At this point it will become vulnerable to this liquidation bug, which may result in a loss of funds. Although sUSD loans are not affected by this bug, we recommend closing these positions and reopening them when the new contracts are deployed.
Synthetix has had an open bug bounty programme since early 2019, and the bug bounty tiers are as follows:
- Informational: $100 sUSD
- Low severity: $500 sUSD
- Moderate severity: $1,000 sUSD
- High severity: $5,000 sUSD
If any further bugs are discovered at any point, please reach out to the Synthetix core contributors at email@example.com, and if the bug is perceived to be of moderate severity or higher please also reach out to any core contributors who happen to be online in the Synthetix Discord at that time.