validateSellCreditMarket
and validateBuyCreditMarket
incorrectly assumes params.amount
is credit when validating against minimumCreditBorrowAToken
#16
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-224
edited-by-warden
🤖_18_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-06-size/blob/main/src/libraries/actions/SellCreditMarket.sol#L93-L95
https://github.com/code-423n4/2024-06-size/blob/main/src/libraries/actions/BuyCreditMarket.sol#L91-L93
Vulnerability details
Impact
When users calls
sellCreditMarket
, users can provideexactAmountIn
flag to determine wetherparams. amount
is credit or cash. However,validateSellCreditMarket
incorrectly assumeparams.amount
is credit when checking againststate.riskConfig.minimumCreditBorrowAToken
.Proof of Concept
Inside
validateSellCreditMarket
, there are two validations related toparams.amount
. first, checking if it is greater thancreditPosition.credit
whenparams.creditPositionId
is provided, and second, checking ifparams.amount
is lower thanminimumCreditBorrowAToken
.https://github.com/code-423n4/2024-06-size/blob/main/src/libraries/actions/SellCreditMarket.sol#L93-L95
When checking against
creditPosition.credit
, it is safe to assume thatparams.amount
is credit, since cash also cannot be greater thancreditPosition.credit
.However, when checking against
minimumCreditBorrowAToken
and the provided amount is cash, it is possible that the cash is lower thanminimumCreditBorrowAToken
, while the actual credit exceedsminimumCreditBorrowAToken
.This could cause providing valid
params.amount
of cash to the operation could revert unexpectedly.This is also the case inside
validateBuyCreditMarket
.Tools Used
Manual review
Recommended Mitigation Steps
Remove the
minimumCreditBorrowAToken
validation insidevalidateSellCreditMarket
andvalidateBuyCreditMarket
, since it will be checked insideexecuteSellCreditMarket
andexecuteBuyCreditMarket
when credit is created.Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: