Summary
Security audit of recent changes to the liquidation logic within the Granite core-v1 lending protocol on Stacks, focusing on repay amount denomination and edge cases in adjacent code including bad-debt socialization and staking share inflation.
Audited Functionality
Granite is a DeFi lending market that offers overcollateralized loans on SIP-10 tokens managed and operated by immutable smart contracts on the Stacks Bitcoin L2 ecosystem.
This engagement reviewed changes done to the liquidation logic with regards to repay amount denomination. During the review a few other issues were found in adjacent code and included in the findings:
- Liquidation repay denomination changes to the liquidator contract affecting how repay-allowed values interact with total-collaterals-liquid-value calculations
- Bad-debt socialization edge cases around division-by-zero scenarios that could permanently block liquidation of certain positions
- Staking share inflation attack vector enabling theft from subsequent stakers on new markets through share price manipulation
Findings Breakdown
About Granite
www.granite.worldGranite is a Bitcoin liquidity protocol built on Stacks that allows users to borrow stablecoins against their Bitcoin collateral. Incubated by Trust Machines, the protocol uses sBTC (a decentralized Bitcoin bridge) to connect Bitcoin to DeFi while keeping BTC securely stored on the Bitcoin blockchain. Key features include isolated collateral with no rehypothecation (user collateral is never lent to others), soft liquidations that only liquidate the minimum amount required to restore solvency, and offline position tracking via push notifications. The protocol serves both borrowers seeking liquidity without selling their Bitcoin and lenders earning yield by providing stablecoins to the liquidity pool.
