The validateBorrowATokenIncreaseLteDebtTokenDecrease is incorrect and can be easily bypassed

[howlbot-integration]

Lines of code

https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/CapsLibrary.sol#L27

Vulnerability details

Impact

The validateBorrowATokenIncreaseLteDebtTokenDecrease function in CapsLibrary.sol validates that the increase in borrow aToken supply is less than or equal to the decrease in debt token supply.
The issue is that due to incorrect validation, it is almost impossible for the function to ever not be successful, even when it shouldn't be.

Proof of Concept

The function should revert if the debt increase is greater than the supply increase and the supply is above the cap.
Here is the validation that the supply is above the cap:

if (borrowATokenSupplyAfter > state.riskConfig.borrowATokenCap) {...}

The issue is that the borrowATokenSupplyAfter is not the full supply of the borrowAToken but instead the contract's balance. This implementation is sufficient for the rest of the function, but should not be used in this particular instance as it is almost impossible for the balance of the contract to ever reach the supply cap.
However, in the current implementation, it is possible for the total supply of the borrow token to reach the supply cap and the required validation will still not be performed.

As a result, the validateBorrowATokenIncreaseLteDebtTokenDecrease will be bypassed in almost all cases, allowing for malicious actions to be performed.

Tools Used

Manual review

Recommended Mitigation Steps

Consider performing the validation the following way:

if (state.data.borrowAToken.totalSupply() > state.riskConfig.borrowATokenCap) {...}

Assessed type

Invalid Validation

[c4-judge]

hansfriese marked the issue as duplicate of #144

[c4-judge]

hansfriese marked the issue as satisfactory

[c4-judge]

hansfriese marked the issue as duplicate of #238