AToken cap can be violated/bypassed through multicall #373
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-238
🤖_48_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/Deposit.sol#L76-L82
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/Multicall.sol#L29-L42
Vulnerability details
Impact
The borowATokenCap which is meant to limit the amount of credit in the protocol can be bypassed by depositing via multicall
Proof of Concept
The borrowATokenCap check is deferred during a multicall to allow for loan repayments and liquidations that might result in the total borrowAToken exceeding the cap provided that an equal amount of debt is repaid in the same multicall. here
However, the validation logic used after the multicall is incorrect as it allows a user to deposit tokens that might exceed the cap and would revert if done through a direct deposit call.
The AToken cap validation function used in multicall
validateBorrowATokenIncreaseLteDebtTokenDecrease
asserts that if the borrowATokenCap is exceeded the an equal or greater amount of debt must be burned, as stated earlier this is to allow loan repayments and liquidations that might excced the cap. The issue lies in theborrowATokenSupplyBefore
andborrowATokenSupplyAfter
parameters passed to thevalidateBorrowATokenIncreaseLteDebtTokenDecrease
function.As seen here the
balanceOf(address(this))
is used rather thantotalSupply()
, since deposits have no effect onbalanceOf(address(this))
as tokens is deposited directly to the user's balance, the validation fails.Proof of Code
Lets extend the existing deposit validation test by adding the following lines of code
Run via
forge test --mt test_Deposit_validation_borrowATokenCap
.From the test code provided we can see that the deposit validation logic does not work as expected when depositing though a multicall.
Tools Used
Manual Review
Recommended Mitigation Steps
Replace
balanceOf(address(this))
withtotalSupply()
Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: