Since the lender and borrower can be the same, BorrowATokenCap can be bypassed. #49
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-238
🤖_48_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/Deposit.sol#L80
Vulnerability details
Impact
Since the lender and borrower can be the same, BorrowATokenCap can be bypassed.
Users can bypass BorrowATokenCap to increase their BorrowAToken balance infinitely, at the cost of losing a portion of the protocol fee.
Proof of Concept
When the user deposits, the protocol will check whether the total supply of BorowAtoken exceeds BorowATokenCap
gothub:https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/Deposit.sol#L81
state.validateBorrowATokenCap();
If using Multicall calls, this check will be ignored, as Multicall will ultimately check for changes in debit/borrowAtoken
github:https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/Multicall.sol#L40
state.validateBorrowATokenIncreaseLteDebtTokenDecrease( borrowATokenSupplyBefore, debtTokenSupplyBefore, borrowATokenSupplyAfter, debtTokenSupplyAfter );
Now let's take a closer look at the implementation of validateBorrowATokenIncreaseLteDebtTokenDecrease
github:https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/CapsLibrary.sol#L19
When BorrowAToken > BorrowATokenCap, the newly cast BorrowAToken must be less than or equal to the decrease in debt.
Imagine a situation where when the total supply of borrowAtoken reaches the borrowATokenCap, the user wants to get more borrowAtoken balances.
It can create a credit position with both the lender and the borrower as its own, then call Multicall deposit and reply, and finally call claim to recover the original borrowAToken, and his balance will increase.
In the cycle of call, borrowATokenCap will lose its meaning completely.
POC:
The following is the test function, which can be run by placing it in the BuyCreditLimit.t.sol file and adding some import.
The test function demonstrates the following scenarios:
The following are the logs of the test run :
It can be seen that after five attacks, Alice's balance has significantly increased beyond BorrowATokenCap, and there is no way to restrict her from continuing to grow.
Tools Used
Manual audit,foundry
Recommended Mitigation Steps
To solve this problem, we need to prohibit users from purchasing or selling their own creditLimit
Add in BuyCreditMarket.sol:
github:https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/BuyCreditMarket.sol#L83
Add in SellCreditMarket.sol
github:https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/SellCreditMarket.sol#L51
Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: