Multicall incorrectly validates borrow token supply cap #6
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-238
🤖_48_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-06-size/blob/main/src/libraries/Multicall.sol#L29
https://github.com/code-423n4/2024-06-size/blob/main/src/libraries/Multicall.sol#L29
Vulnerability details
Impact
Instead of the borrow token's total supply, the
Multicall.sol
usesaddress(this)
balances to validate the borrow token's supply cap, causing borrow tokens to be minted above the supply cap.Proof of Concept
During a multicall, the size protocol contract verifies that the resulting borrow token supply is less than or equal than to the decrease in the debt token supply.
borrowATokenSupplyBefore
andborrowATokenSupplyAfter
variables are received from theMulticall.sol
library:The problem here is that contract balances are used instead of
totalSupply
. This will result in an incorrect assessment of the increase in the total supply of borrow tokens relative to the decrease in the supply of debt tokens.Note how borrow token supply cap is validated in the
validateBorrowATokenCap
function.Tools Used
Manual review
Recommended Mitigation Steps
Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: