The borrowATokenCap requirement doesn't work during a multicall.
#144
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-238
🤖_48_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
sufficient quality report
This report is of sufficient quality
Comments
c4-bot-8
added
2 (Med Risk)
howlbot-integration
bot
added
primary issue
aviggiano
added
the
sponsor confirmed
|
Fixed in SizeCredit/size-solidity#126 |
|
hansfriese marked the issue as satisfactory |
c4-judge
added
satisfactory
|
hansfriese marked the issue as selected for report |
This was referenced Jul 10, 2024
Closed
Closed
This was referenced Jul 10, 2024
|
hansfriese marked the issue as not selected for report |
c4-judge
removed
the
selected for report
|
hansfriese marked the issue as duplicate of #238 |
c4-judge
added
duplicate-238
and removed
primary issue
|
hansfriese marked the issue as duplicate of #238 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/Multicall.sol#L29
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/Multicall.sol#L37
Vulnerability details
Impact
Users can mint more
borrowATokenthanborrowATokenCapusing a multicall.Proof of Concept
During a multicall, it validates the
borrowATokenCaprequirement after executing functions.But it uses
borrowAToken.balanceOf(address(this))instead ofborrowAToken.totalSupply()and it won't work as expected becauseborrowAToken.balanceOf(address(this)) < borrowAToken.totalSupply().As a result,
validateBorrowATokenIncreaseLteDebtTokenDecrease()would pass when it should revert with lowerborrowATokenSupplyBefore/borrowATokenSupplyAfteramounts.Tools Used
Manual Review
Recommended Mitigation Steps
It should validate using
borrowAToken.totalSupply().function multicall(State storage state, bytes[] calldata data) internal returns (bytes[] memory results) { state.data.isMulticall = true; - uint256 borrowATokenSupplyBefore = state.data.borrowAToken.balanceOf(address(this)); + uint256 borrowATokenSupplyBefore = state.data.borrowAToken.totalSupply(); uint256 debtTokenSupplyBefore = state.data.debtToken.totalSupply(); results = new bytes[](data.length); for (uint256 i = 0; i < data.length; i++) { results[i] = Address.functionDelegateCall(address(this), data[i]); } - uint256 borrowATokenSupplyAfter = state.data.borrowAToken.balanceOf(address(this)); + uint256 borrowATokenSupplyAfter = state.data.borrowAToken.totalSupply(); uint256 debtTokenSupplyAfter = state.data.debtToken.totalSupply(); state.validateBorrowATokenIncreaseLteDebtTokenDecrease( borrowATokenSupplyBefore, debtTokenSupplyBefore, borrowATokenSupplyAfter, debtTokenSupplyAfter ); state.data.isMulticall = false; }Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: