Shade Protocol Community,
On August 5th, the Shade Protocol contributors were made aware of an issue with claiming particular liquidated collateral tokens from the stability pool. After further troubleshooting and investigation, the protocol contributors discovered a minor bug in the Stability Pool deployed for Shade Lend that prevented the claiming of tokens with 18 decimals below a certain threshold.
Problem Explained:
The contract’s “claim” logic normalized token amounts from utokens (1 SCRT at 6 decimals is 1000000 utokens/uscrt) by scaling them up to have 18 zeros. These normalized values are used for math in the background to increase precision during division & multiplication operations. When the reward tokens were being summed, the normalized amounts were summed to determine how many tokens were owed to the claiming user.
Included within this claim logic was a check that was intended to avoid sending “dust” to users:
if send_amount > U256::from(10u128.pow(asset.decimals.into())) {
-- send tokens to user --
}
The send_amount in this check is a normalized token amount, so if the user was claiming 1 SCRT (normalized to 10^18, normally 6 decimals) the check would look like if 1000000000000000000 > 1000000 {}
as the right side of the operation is checking against 1 token (1 * 10^decimals)
During normal operations it passes for nearly all cases. In order for this check to fail for a token like SCRT, the user would need to be claiming less than .0000000000001 SCRT. For tokens that are configured with 18 decimals though, this check becomes problematic. In the example of a user claiming ETH, they would need to be claiming greater than 1 ETH in order for the claim to go through.
Impact
The impact of this is that as far as we can tell no ETH, INJ, or other 18 decimal tokens were able to be claimed by individuals set to receive less than 1 nominal token at the time of claiming, over the lifetime of this contract.
The storages for these rewards were cleared before the problematic check occurred, so any rewards where a claim was attempted were cleared, making it difficult to reconcile the situation accurately.
Contract Remediation
The stability pool has been migrated in place using a contract migration.
The problematic check was fixed by denormalizing the send_amount back to utokens, then a zero check will be done so that any non-zero token amount will be sent to the claiming user.
Additionally, a new execute message was added to the Stability Pool contract so the admin can “withdraw” idle funds from the contract in order to redistribute rewards to stability pool depositors. The purpose of the additional admin execute message is to allow the protocol to claim and distribute “missed” rewards over the last 1.5 years since the contract was instantiated, as these previous rewards cannot be “normally” distributed after storages for these rewards were cleared after previous claim attempts.
Following the stability pool contract migration, users will be able to claim all discounted collateral tokens received from participating in SILK liquidations without any issue.
Reward Remediation
In order to properly distribute rewards to all SILK earn depositors that should have received discounted wETH.axl, wstETH.axl, INJ and stINJ collateral, users will need to perform the following steps which are all clearly displayed on the linked remediation page:
-
Visit Shade App and connect your wallet
-
SILK earn depositors will need to follow the 4 steps listed in detail on the remediation page to check for potential missed rewards:
- 1st step: Click “start SILK earn check”
- 2nd step: Click Recreate SILK earn permit.
- 3rd step: Click “Recalculate missing rewards”
- 4th step: Click “Generate”, to generate a proof of your rewards
-
Users will need to then click the support widget in the bottom right corner of the Shade app and create a support request with the following details:
- Type “Request” in the search bar, and then click “Submit a Request” at the bottom of the support widget.
- For the summary field, input “Silk Earn Rewards Claim Remediation”
- For the description field, copy/paste the Rewards Proof into the description field
- For the email field, users can input any valid email address (this is a required field for generating a ticket). If users do not wish to be updated about their claim with a tx hash when rewards are sent out, they can input a temporary email address.
Once users submit their proof for SILK earn claims, these proofs will be validated by the team. Once a user’s proof has been validated, they will be promptly sent their discounted collateral that was not previously claimed.
We want to thank everyone for their continued support of Shade Protocol and SILK, and highlight our appreciation for each and every one of our dApp users, our supporters on socials, the teams of builders around Secret Network and the Cosmos ecosystem. We’re excited to both rightly fix the issues we’ve encountered and continue building on towards a brighter future for private DeFi.
Onward and Upwards,
Shade Protocol contributors