FLO-11: Inconsistent Moet Accounting Leads to Supply Inflation and Liquidity Mirages #220
Description
Severity: Medium
Files Affected
cadence/contracts/FlowALPv1.cdc
Description
The protocol treats its native asset, MOET, with an inconsistent accounting model. It functions as a minted CDP (Collateralized Debt Position) during automated rebalancing but as a standard finite-supply token during manual operations. When a position is overcollateralized, _rebalancePositionNoLock() uses a privileged MOET.Minter to create new tokens and push them to a drawDownSink. However, the protocol fails to perform the inverse: it never burns MOET when a debt is repaid via depositToPosition(), instead storing the tokens in the pool's reserves. Furthermore, manual borrows via withdraw() do not trigger the minter; they attempt to pull from the reserves, which may be empty even if the user is heavily overcollateralized. This can result in MOET tokens reflected in the total supply without collateral backing. Exploit Scenario:
- A user is overcollateralized and the protocol's bot triggers an automated rebalance, minting 1,000 MOET and sending it to the user's sink. The global MOET supply increases by 1,000.
- The user later repays the 1,000 MOET debt. The protocol accepts the tokens into its reserves but does not burn them.
- The user withdraws his collateral.
- The global supply remains artificially inflated by 1,000 tokens, which are not collateralized anymore.
Recommendation
Standardize MOET as a pure CDP asset within the Pool logic. All MOET borrowing should result in a mint(), and all MOET repayments (deposits into a debit balance) should result in an immediate burn(). This ensures the MOET total supply always equals the aggregate outstanding debt of the protocol and eliminates the liquidity mirage for manual borrowers.
Parent Issue: #209