Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect address was used to check whether the variable pool has enough liquidity #285

Closed
howlbot-integration bot opened this issue Jul 8, 2024 · 3 comments
Closed

Incorrect address was used to check whether the variable pool has enough liquidity #285

howlbot-integration bot opened this issue Jul 8, 2024 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-218 🤖_10_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@howlbot-integration
Copy link

Lines of code

https://github.com/code-423n4/2024-06-size/blob/main/src/libraries/CapsLibrary.sol#L67-L72

Vulnerability details

Impact

The critical functions listed below are unlikely to execute successfully, causing the Size protocol to stop working:

  • buyCreditMarket()
  • sellCreditMarket()
  • liquidateWithReplacement()

Proof of Concept

A eligible user (seller) can sell their credit for szaUSDC by calling sellCreditMarket(). sellCreditMarket() will check if the variable pool has enough liquidity to make sure the seller can redeem szaUSDC for USDC laterly.

Size#sellCreditMarket():

    function sellCreditMarket(SellCreditMarketParams memory params) external payable override(ISize) whenNotPaused {
        state.validateSellCreditMarket(params);
        uint256 amount = state.executeSellCreditMarket(params);
        if (params.creditPositionId == RESERVED_ID) {
            state.validateUserIsNotBelowOpeningLimitBorrowCR(msg.sender);
        }
@>      state.validateVariablePoolHasEnoughLiquidity(amount);
    }

CapsLibrary#validateVariablePoolHasEnoughLiquidity():

    function validateVariablePoolHasEnoughLiquidity(State storage state, uint256 amount) public view {
@>      uint256 liquidity = state.data.underlyingBorrowToken.balanceOf(address(state.data.variablePool));
        if (liquidity < amount) {
            revert Errors.NOT_ENOUGH_BORROW_ATOKEN_LIQUIDITY(liquidity, amount);
        }
    }

As we all know, state.data.variablePool is the AAVE v3 pool, the address of which on Ethereum is 0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2. However, When USDC token is deposited in AAVE, it will be transferred into its aToken address: 0x98C23E9d8f34FEFb1B7BD6a91B7FF122F4e16F5c

validateVariablePoolHasEnoughLiquidity() used the incorrect address(state.data.variablePool) to check the underlyingBorrowToken balance, resulting in it likely failing to execute successfully. Any functions calling validateVariablePoolHasEnoughLiquidity() to check the variable pool liquidity will revert.

Tools Used

Manual review

Recommended Mitigation Steps

Correct the address used for USDC balance check:

    function validateVariablePoolHasEnoughLiquidity(State storage state, uint256 amount) public view {
-       uint256 liquidity = state.data.underlyingBorrowToken.balanceOf(address(state.data.variablePool));
+       address aToken = state.data.variablePool.getReserveData(address(state.data.underlyingBorrowToken)).aTokenAddress;
+       uint256 liquidity = state.data.underlyingBorrowToken.balanceOf(aToken);
        if (liquidity < amount) {
            revert Errors.NOT_ENOUGH_BORROW_ATOKEN_LIQUIDITY(liquidity, amount);
        }
    }

Assessed type

Context
@howlbot-integration howlbot-integration bot added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value 🤖_10_group AI based duplicate group recommendation bug Something isn't working duplicate-218 sufficient quality report This report is of sufficient quality labels Jul 8, 2024
howlbot-integration bot added a commit that referenced this issue Jul 8, 2024
@howlbot-integration
0xpiken issue #285
a750b30
@c4-judge c4-judge added 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jul 11, 2024
@c4-judge
Copy link
Contributor

hansfriese changed the severity to 3 (High Risk)

@c4-judge
Copy link
Contributor

hansfriese marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jul 11, 2024
@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge labels Jul 21, 2024
@c4-judge
Copy link
Contributor

hansfriese changed the severity to 2 (Med Risk)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-218 🤖_10_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@c4-judge