Marginal Smart Contract Unsafe Downcasting Vulnerability Allowing Debt Settlement Exploitation

A vulnerability exists in the Marginal v1 smart contract due to unsafe downcasting of numeric types, specifically in the 'adjust()' function of the 'MarginalV1Pool' contract. This flaw allows attackers to settle large debt positions for a minimal asset cost by exploiting integer truncation. The issue arises because the contract improperly casts calculated margin values into a 'uint128' format without checking for overflow, leading to a significant loss of precision. As a result, an attacker can manipulate the system to drain protocol liquidity using a flash loan, all without requiring special access or user interaction.

Impact

Exploitation of this vulnerability allows for unauthorized settlement of debt positions, causing substantial financial loss to the protocol by enabling attackers to drain liquidity for a fraction of the cost.

Reproduction

The vulnerability can be reproduced by calling the 'adjust()' function on a vulnerable 'MarginalV1Pool' contract proxy. This can be done by sending a transaction that includes a crafted input designed to exceed the 'uint128' limit, such as a margin value that represents a large debt obligation. The transaction can be executed through a permissionless flash loan from Aave or Uniswap V3 on the Ethereum Mainnet, taking advantage of the unchecked downcasting to settle the debt for a negligible asset cost.

Remediation

The vulnerability has been patched by updating the smart contract to use OpenZeppelin's SafeCast library, which ensures safe conversions between numeric types. The patched implementation is now deployed on the Ethereum Mainnet.