Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect Liquidity Check in Variable Pool Disrupts Borrowing Operations #275

Closed
howlbot-integration bot opened this issue Jul 8, 2024 · 2 comments
Closed

Incorrect Liquidity Check in Variable Pool Disrupts Borrowing Operations #275

howlbot-integration bot opened this issue Jul 8, 2024 · 2 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-218 🤖_10_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@howlbot-integration
Copy link

Lines of code

https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/CapsLibrary.sol#L67-L73
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/Size.sol#L184
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/Size.sol#L194
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/Size.sol#L243

Vulnerability details

  • When there is a borrow action in the Size protocol, the protocol ensures that the borrower can always withdraw the cash amount they borrowed by validating the liquidity in the variable pool.
   function buyCreditMarket(BuyCreditMarketParams calldata params) external payable override(ISize) whenNotPaused {
       // some code .. 
 >>    state.validateVariablePoolHasEnoughLiquidity(amount);
    }

   function sellCreditMarket(SellCreditMarketParams memory params) external payable override(ISize) whenNotPaused {
        // some code ...
 >>     state.validateVariablePoolHasEnoughLiquidity(amount);
    }

   function liquidateWithReplacement(LiquidateWithReplacementParams calldata params)/*...*/{
       //some code ...
 >>     state.validateVariablePoolHasEnoughLiquidity(amount);
    }
  • The variablePool is an AAVE V3 POOL. In the validateVariablePoolHasEnoughLiquidity function, we check if the usdc.balanceOf(variablePool) is greater than or equal to the amount to be withdrawn. If this condition is not met, the function reverts.
 function validateVariablePoolHasEnoughLiquidity(State storage state, uint256 amount) public view {
  >>    uint256 liquidity = state.data.underlyingBorrowToken.balanceOf(address(state.data.variablePool));
  >>    if (liquidity < amount) {
  >>      revert Errors.NOT_ENOUGH_BORROW_ATOKEN_LIQUIDITY(liquidity, amount);
        }
    }

  • The issue is that this validation will always revert because the variablePool is always empty. The variablePool does not hold the supplied tokens; instead he send it to aToken contract of the supplied asset .

  • Due to this incorrect assumption (that the variablePool holds the supplied tokens), borrowing is not possible, effectively breaking the entire system.

Notice: All testing for this scenario succeeds because the tests use an incorrect mock of the AAVE pool that holds the supplied tokens instead of sending them to the aToken contract.

Impact

  • The buyCreditMarket, sellCreditMarket, and liquidateWithReplacement functions will always revert due to incorrect validation of variablePool liquidity, effectively halting all borrowing and selling credits operations within the protocol.

Proof of Concept

  • Here is a coded PoC that proves the variablePool does not hold the supplied tokens and when the variablePool balance is 0 it doesn't mean it not possible to withdraw. The test uses the real AAVE V3 POOL on the mainnet and the real USDC address. Add this test here.

Make sure to set a mainnet URL in the .env file:

MAINNET_URL="https://eth-mainnet.g.alchemy.com/v2/<your api key>"

    // import those : 
    import {USDC} from "@test/mocks/USDC.sol";
    import {IPool} from "@aave/interfaces/IPool.sol";

    function test_forkPool() public {
        // create fork :
        vm.createSelectFork(vm.envString("MAINNET_URL"));
        // change pool to v3 pool on ethereum mainnet and usdc to actual address:
        variablePool = IPool(0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2);
        usdc = USDC(0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48);
        address richWallet = 0x3b769b1B3d9B119A64c40A39A12a580495909Bc3;
        // supply 1000 usdc  :
        address aToken = variablePool.getReserveData(address(usdc)).aTokenAddress;
        uint256 balanceAtokenBefore = usdc.balanceOf(aToken);
        vm.startPrank(richWallet);
        usdc.approve(address(variablePool), 1000e6);
        variablePool.supply(address(usdc), 1000e6, address(this), 0);
        vm.stopPrank();
        // check that the pool doesn't hold any supplied token and atoken is the one hold it :
        uint256 variablePoolBalance = usdc.balanceOf(address(variablePool));
        uint256 balanceAtokenAfter = usdc.balanceOf(aToken);
        assertEq(variablePoolBalance, 0);
        assertEq(balanceAtokenAfter - balanceAtokenBefore, 1000e6);
        // show that it's possibel to withdraw when pool balance is 0 :
        variablePool.withdraw(address(usdc), 1000e6, address(this));
    }
  • run test :
forge test --mt test_forkPool -vvv

Tools Used

manual review

Recommended Mitigation Steps

  • you sould check the balance of atoken instead of variablePool :
    function validateVariablePoolHasEnoughLiquidity(State storage state, uint256 amount) public view {
-   uint256 liquidity = state.data.underlyingBorrowToken.balanceOf(address(state.data.variablePool));
+   uint256 liquidity = state.data.underlyingBorrowToken.balanceOf(state.data.variablePool.getReserveData(address(state.data.underlyingBorrowToken)).aTokenAddress);
        if (liquidity < amount) {
            revert Errors.NOT_ENOUGH_BORROW_ATOKEN_LIQUIDITY(liquidity, amount);
        }
    }

Assessed type

Invalid Validation
@howlbot-integration howlbot-integration bot added 3 (High Risk) Assets can be stolen/lost/compromised directly 🤖_10_group AI based duplicate group recommendation bug Something isn't working duplicate-218 sufficient quality report This report is of sufficient quality labels Jul 8, 2024
howlbot-integration bot added a commit that referenced this issue Jul 8, 2024
@howlbot-integration
elhaj issue #275
d22e2dd
@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jul 11, 2024
@c4-judge
Copy link
Contributor

hansfriese marked the issue as satisfactory

@c4-judge
Copy link
Contributor

hansfriese changed the severity to 2 (Med Risk)

@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Jul 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-218 🤖_10_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@c4-judge