multicall()
doesn't correctly enforce borrowATokenCap
#91
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-238
🤖_primary
AI based primary recommendation
🤖_48_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/Multicall.sol#L29-L42
Vulnerability details
Impact
The Size protocol enforces a
borrowATokenCap
, which is a limit on how large thetotalSupply()
of the protocol'sborrowAToken
can become. This is useful for self-limiting the TVL of the protocol in a "guarded launch" approach.To enforce this cap, the
Deposit.sol
contract has the following code:Note that the implementation of
validateBorrowATokenCap()
is the following:As specified in the comments of the first code snippet, this validation is skipped when
isMulticall == true
, since users may want to deposit to reduce their debt (e.g. using thecompensate()
logic). So, in themulticall()
function, the following logic facilitates its ownborrowATokenCap
as follows:Notice that this code is tracking the increase in
borrowAToken
supply by usingbalanceOf(address(this))
. This is incorrect. TheborrowAToken.balanceOf(address(this))
value represents the Size contract's ownborrowAToken
amount, which is simply the amount of unclaimed repayments (which can be reduced arbitrarily sinceclaim()
is permissionless). As a result, themulticall()
logic does not correctly limit theborrowAToken
supply, making the entire cap obsolete.Proof of Concept
For a PoC, add the following test to
DepositValidation.t.sol
. This test shows that the exact same deposit can fail in a singledeposit()
but succeed inmulticall()
:Tools Used
Manual analysis.
Recommended Mitigation Steps
In the
multicall()
function, changeborrowAToken.balanceOf(address(this))
toborrowAToken.totalSupply()
.Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: