Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

validateSellCreditMarket and validateBuyCreditMarket incorrectly assumes params.amount is credit when validating against minimumCreditBorrowAToken #16

Closed
c4-bot-6 opened this issue Jun 27, 2024 · 3 comments
Closed

validateSellCreditMarket and validateBuyCreditMarket incorrectly assumes params.amount is credit when validating against minimumCreditBorrowAToken #16

c4-bot-6 opened this issue Jun 27, 2024 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-224 edited-by-warden 🤖_18_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality

Comments

@c4-bot-6
Copy link
Contributor

c4-bot-6 commented Jun 27, 2024
edited
Loading

Lines of code

https://github.com/code-423n4/2024-06-size/blob/main/src/libraries/actions/SellCreditMarket.sol#L93-L95
https://github.com/code-423n4/2024-06-size/blob/main/src/libraries/actions/BuyCreditMarket.sol#L91-L93

Vulnerability details

Impact

When users calls sellCreditMarket, users can provide exactAmountIn flag to determine wether params. amount is credit or cash. However, validateSellCreditMarket incorrectly assume params.amount is credit when checking against state.riskConfig.minimumCreditBorrowAToken.

Proof of Concept

Inside validateSellCreditMarket, there are two validations related to params.amount. first, checking if it is greater than creditPosition.credit when params.creditPositionId is provided, and second, checking if params.amount is lower than minimumCreditBorrowAToken.

https://github.com/code-423n4/2024-06-size/blob/main/src/libraries/actions/SellCreditMarket.sol#L93-L95

    function validateSellCreditMarket(State storage state, SellCreditMarketParams calldata params) external view {
        // ...

        // validate creditPositionId
        if (params.creditPositionId == RESERVED_ID) {
            tenor = params.tenor;

            // validate tenor
            if (tenor < state.riskConfig.minTenor || tenor > state.riskConfig.maxTenor) {
                revert Errors.TENOR_OUT_OF_RANGE(tenor, state.riskConfig.minTenor, state.riskConfig.maxTenor);
            }
        } else {
            CreditPosition storage creditPosition = state.getCreditPosition(params.creditPositionId);
            DebtPosition storage debtPosition = state.getDebtPositionByCreditPositionId(params.creditPositionId);
            if (msg.sender != creditPosition.lender) {
                revert Errors.BORROWER_IS_NOT_LENDER(msg.sender, creditPosition.lender);
            }
            if (!state.isCreditPositionTransferrable(params.creditPositionId)) {
                revert Errors.CREDIT_POSITION_NOT_TRANSFERRABLE(
                    params.creditPositionId,
                    state.getLoanStatus(params.creditPositionId),
                    state.collateralRatio(debtPosition.borrower)
                );
            }
            tenor = debtPosition.dueDate - block.timestamp; // positive since the credit position is transferrable, so the loan must be ACTIVE

            // validate amount
            if (params.amount > creditPosition.credit) {
                revert Errors.NOT_ENOUGH_CREDIT(params.amount, creditPosition.credit);
            }
        }

        // validate amount
>>>     if (params.amount < state.riskConfig.minimumCreditBorrowAToken) {
            revert Errors.CREDIT_LOWER_THAN_MINIMUM_CREDIT(params.amount, state.riskConfig.minimumCreditBorrowAToken);
        }

        // ...
    }

When checking against creditPosition.credit, it is safe to assume that params.amount is credit, since cash also cannot be greater than creditPosition.credit.

However, when checking against minimumCreditBorrowAToken and the provided amount is cash, it is possible that the cash is lower than minimumCreditBorrowAToken, while the actual credit exceeds minimumCreditBorrowAToken.

This could cause providing valid params.amount of cash to the operation could revert unexpectedly.

This is also the case inside validateBuyCreditMarket.

Tools Used

Manual review

Recommended Mitigation Steps

Remove the minimumCreditBorrowAToken validation inside validateSellCreditMarket and validateBuyCreditMarket, since it will be checked inside executeSellCreditMarket and executeBuyCreditMarket when credit is created.

Assessed type

Invalid Validation
@c4-bot-6 c4-bot-6 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 27, 2024
c4-bot-3 added a commit that referenced this issue Jun 27, 2024
@c4-bot-3
said issue #16
0ed0b47
@c4-bot-6 c4-bot-6 changed the title validateSellCreditMarket incorrectly assumes params.amount is credit when validating against minimumCreditBorrowAToken validateSellCreditMarket and validateBuyCreditMarket incorrectly assumes params.amount is credit when validating against minimumCreditBorrowAToken Jun 28, 2024
@c4-bot-13 c4-bot-13 added the 🤖_18_group AI based duplicate group recommendation label Jul 2, 2024
@howlbot-integration howlbot-integration bot added primary issue Highest quality submission among a set of duplicates sufficient quality report This report is of sufficient quality labels Jul 4, 2024
@aviggiano aviggiano added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jul 4, 2024
@aviggiano
Copy link

Fixed in SizeCredit/size-solidity#125

@C4-Staff
Copy link

C4-Staff commented Jul 8, 2024

CloudEllie marked the issue as duplicate of #224

@C4-Staff C4-Staff closed this as completed Jul 8, 2024
@C4-Staff C4-Staff added duplicate-224 and removed primary issue Highest quality submission among a set of duplicates labels Jul 8, 2024
@c4-judge
Copy link
Contributor

hansfriese marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jul 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-224 edited-by-warden 🤖_18_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@aviggiano @c4-judge @C4-Staff @code4rena-admin @c4-bot-6 @c4-bot-13