Multicall incorrectly validates borrow token supply cap #6

c4-bot-9 · 2024-06-22T19:29:46Z

Lines of code

https://github.com/code-423n4/2024-06-size/blob/main/src/libraries/Multicall.sol#L29
https://github.com/code-423n4/2024-06-size/blob/main/src/libraries/Multicall.sol#L29

Vulnerability details

Impact

Instead of the borrow token's total supply, the Multicall.sol uses address(this) balances to validate the borrow token's supply cap, causing borrow tokens to be minted above the supply cap.

Proof of Concept

During a multicall, the size protocol contract verifies that the resulting borrow token supply is less than or equal than to the decrease in the debt token supply.

    function validateBorrowATokenIncreaseLteDebtTokenDecrease(
        State storage state,
>>      uint256 borrowATokenSupplyBefore,
        uint256 debtTokenSupplyBefore,
>>      uint256 borrowATokenSupplyAfter,
        uint256 debtTokenSupplyAfter
    ) external view {
        // If the supply is above the cap
        if (borrowATokenSupplyAfter > state.riskConfig.borrowATokenCap) {
            uint256 borrowATokenSupplyIncrease = borrowATokenSupplyAfter > borrowATokenSupplyBefore
                ? borrowATokenSupplyAfter - borrowATokenSupplyBefore
                : 0;
            uint256 debtATokenSupplyDecrease =
                debtTokenSupplyBefore > debtTokenSupplyAfter ? debtTokenSupplyBefore - debtTokenSupplyAfter : 0;

            // and the supply increase is greater than the debt reduction
            if (borrowATokenSupplyIncrease > debtATokenSupplyDecrease) {
                // revert
                revert Errors.BORROW_ATOKEN_INCREASE_EXCEEDS_DEBT_TOKEN_DECREASE(
                    borrowATokenSupplyIncrease, debtATokenSupplyDecrease
                );
            }
            // otherwise, it means the debt reduction was greater than the inflow of cash: do not revert
        }
        // otherwise, the supply is below the cap: do not revert
    }

borrowATokenSupplyBefore and borrowATokenSupplyAfter variables are received from the Multicall.sol library:

    function multicall(State storage state, bytes[] calldata data) internal returns (bytes[] memory results) {
        state.data.isMulticall = true;

>>      uint256 borrowATokenSupplyBefore = state.data.borrowAToken.balanceOf(address(this));
        uint256 debtTokenSupplyBefore = state.data.debtToken.totalSupply();

        results = new bytes[](data.length);
        for (uint256 i = 0; i < data.length; i++) {
            results[i] = Address.functionDelegateCall(address(this), data[i]);
        }

>>      uint256 borrowATokenSupplyAfter = state.data.borrowAToken.balanceOf(address(this));
        uint256 debtTokenSupplyAfter = state.data.debtToken.totalSupply();

        state.validateBorrowATokenIncreaseLteDebtTokenDecrease(
            borrowATokenSupplyBefore, debtTokenSupplyBefore, borrowATokenSupplyAfter, debtTokenSupplyAfter
        );

        state.data.isMulticall = false;
    }

The problem here is that contract balances are used instead of totalSupply. This will result in an incorrect assessment of the increase in the total supply of borrow tokens relative to the decrease in the supply of debt tokens.

Note how borrow token supply cap is validated in the validateBorrowATokenCap function.

    function validateBorrowATokenCap(State storage state) external view {
        if (state.data.borrowAToken.totalSupply() > state.riskConfig.borrowATokenCap) {
            revert Errors.BORROW_ATOKEN_CAP_EXCEEDED(
                state.riskConfig.borrowATokenCap, state.data.borrowAToken.totalSupply()
            );
        }
    }

Tools Used

Manual review

Recommended Mitigation Steps

    function multicall(State storage state, bytes[] calldata data) internal returns (bytes[] memory results) {
        state.data.isMulticall = true;

+       uint256 borrowATokenSupplyBefore = state.data.borrowAToken.totalSupply();
        uint256 debtTokenSupplyBefore = state.data.debtToken.totalSupply();

        results = new bytes[](data.length);
        for (uint256 i = 0; i < data.length; i++) {
            results[i] = Address.functionDelegateCall(address(this), data[i]);
        }

+       uint256 borrowATokenSupplyAfter = state.data.borrowAToken.totalSupply();
        uint256 debtTokenSupplyAfter = state.data.debtToken.totalSupply();

Assessed type

Invalid Validation

The text was updated successfully, but these errors were encountered:

c4-judge · 2024-07-11T16:52:27Z

hansfriese marked the issue as satisfactory

c4-judge · 2024-07-21T08:41:28Z

hansfriese marked the issue as duplicate of #238

c4-bot-9 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 22, 2024

c4-bot-6 added a commit that referenced this issue Jun 22, 2024

SpicyMeatball issue #6

acf50cf

c4-bot-12 added the 🤖_48_group AI based duplicate group recommendation label Jul 2, 2024

howlbot-integration bot closed this as completed Jul 4, 2024

howlbot-integration bot added sufficient quality report This report is of sufficient quality duplicate-144 labels Jul 4, 2024

c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jul 11, 2024

c4-judge added duplicate-238 and removed duplicate-144 labels Jul 21, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Multicall incorrectly validates borrow token supply cap #6

Multicall incorrectly validates borrow token supply cap #6

c4-bot-9 commented Jun 22, 2024

c4-judge commented Jul 11, 2024

c4-judge commented Jul 21, 2024

Multicall incorrectly validates borrow token supply cap #6

Multicall incorrectly validates borrow token supply cap #6

Comments

c4-bot-9 commented Jun 22, 2024

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

c4-judge commented Jul 11, 2024

c4-judge commented Jul 21, 2024