Size uses wrong source to query available liquidity on Aave, resulting in borrow and lend operations being bricked upon mainnet deployment #218
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
edited-by-warden
M-03
primary issue
Highest quality submission among a set of duplicates
🤖_89_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-06-size/blob/main/src/libraries/CapsLibrary.sol#L67-L71
Vulnerability details
Bug Description
Size queries the
underlyingBorrowToken
balance of thevariablePool
during borrowing and lending actions in order to check available liquidity. If there is not enough available liquidity for the new borrower to withdraw the borrowed assets, the function call will revert:Size::buyCreditMarket
Size::sellCreditMarket
CapsLibrary::validateVariablePoolHasEnoughLiquidity
However, Aave actual holds all liquidity in the
AToken
contracts, not thePool
contracts. Therefore, the liquidity check above will always fail when thevariablePool
references a live instance of an actual Aave Pool. This is due to the fact that thevariablePool
balance will be 0 (does not hold any liquidity), causing borrowing and lending actions to revert on line 70 inCapsLibrary.sol
.The below code snippets are taken from out of scope contracts, but are shown to further explain why the test suite did not detect this vulnerability:
SupplyLogic::executeSupply
As shown above, the actual implementation of the Aave pool will transfer supplied assets to the
aTokenAddress
on supplies. The Aave pool implementation will then transfer the assets from the AToken to the recipient during withdraws, since the liquidity is stored in the AToken contract:SupplyLogic::executeWithdraw
AToken::burn
However, Size uses a
PoolMock
contract for their test suite, which implements logic that differs from actual Aave Pool contracts:PoolMock.sol#L67-L78
As shown above, the
PoolMock
contract transfers all supplied assets to thePoolMock
contract itself, not the AToken contract. This differs from how actual Aave Pools handle liquidity on live networks.Impact
Borrow (
sellCreditMarket
) and lend (buyCreditMarket
) operations will be bricked when Size is deployed and integrates with Aave on a live network. This report is labeled as High due to the fact that the main functionalities of this lending protocol will be unusable upon deployment.Proof of Concept
The following PoC simply showcases the fact that the
AToken
does not hold the liquidity in the test suite. See here to observe thatATokens
are the contracts that hold liquidity for Aave in live networks.Modify the file below and run with
forge test --mc BuyCreditLimitTest --mt test_BuyCreditLimit_buyCreditLimit_adds_loanOffer_to_orderbook
:Tools Used
manual
Recommended Mitigation
When checking available liquidity on Aave, Size should query the
underlyingBorrowToken
balance of theAToken
instead of thevariablePool
:Assessed type
Other
The text was updated successfully, but these errors were encountered: