Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect validation in validateVariablePoolHasEnoughLiquidity will cause DoS of the protocol's major functions #7

Closed
c4-bot-3 opened this issue Jun 22, 2024 · 3 comments
Closed

Incorrect validation in validateVariablePoolHasEnoughLiquidity will cause DoS of the protocol's major functions #7

c4-bot-3 opened this issue Jun 22, 2024 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-218 🤖_10_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@c4-bot-3
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/CapsLibrary.sol#L68
https://github.com/aave/aave-v3-core/blob/6070e82d962d9b12835c88e68210d0e63f08d035/contracts/protocol/libraries/logic/SupplyLogic.sol#L67

Vulnerability details

Impact

The validateVariablePoolHasEnoughLiquidity function does not properly validate liquidity in the Aave pool, resulting in DoS in the buyCreditMarket, sellCreditMarket and liquidateWithReplacement functions.

https://github.com/code-423n4/2024-06-size/blob/main/src/Size.sol#L184
https://github.com/code-423n4/2024-06-size/blob/main/src/Size.sol#L194
https://github.com/code-423n4/2024-06-size/blob/main/src/Size.sol#L243

Proof of Concept

The validateVariablePoolHasEnoughLiquidity function assumes that Aave stores assets in the v3 pool contract:

    function validateVariablePoolHasEnoughLiquidity(State storage state, uint256 amount) public view {
>>      uint256 liquidity = state.data.underlyingBorrowToken.balanceOf(address(state.data.variablePool));
        if (liquidity < amount) {
            revert Errors.NOT_ENOUGH_BORROW_ATOKEN_LIQUIDITY(liquidity, amount);
        }
    }

But it's not right, according to the Aave SupplyLogic.sol, assets are forwarded to the corresponding aTokenAddess:

  function executeSupply(
    mapping(address => DataTypes.ReserveData) storage reservesData,
    mapping(uint256 => address) storage reservesList,
    DataTypes.UserConfigurationMap storage userConfig,
    DataTypes.ExecuteSupplyParams memory params
  ) external {
    DataTypes.ReserveData storage reserve = reservesData[params.asset];
    DataTypes.ReserveCache memory reserveCache = reserve.cache();

    reserve.updateState(reserveCache);

    ValidationLogic.validateSupply(reserveCache, reserve, params.amount);

    reserve.updateInterestRates(reserveCache, params.asset, params.amount, 0);

>>  IERC20(params.asset).safeTransferFrom(msg.sender, reserveCache.aTokenAddress, params.amount);
    ---SNIP---

Aave v3 pool doesn't hold any tokens:
https://etherscan.io/address/0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2
Aave v3 USDC aToken holds all assets:
https://etherscan.io/address/0x98c23e9d8f34fefb1b7bd6a91b7ff122f4e16f5c

With all being said, validateVariablePoolHasEnoughLiquidity will always revert for non-zero amounts.

Tools Used

Manual review

Recommended Mitigation Steps

    function validateVariablePoolHasEnoughLiquidity(State storage state, uint256 amount) public view {
+       address aToken = state.data.variablePool.getReserveData(address(state.data.underlyingBorrowToken)).aTokenAddress
+       uint256 liquidity = state.data.underlyingBorrowToken.balanceOf(aToken);
        if (liquidity < amount) {
            revert Errors.NOT_ENOUGH_BORROW_ATOKEN_LIQUIDITY(liquidity, amount);
        }
    }

Assessed type

DoS
@c4-bot-3 c4-bot-3 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jun 22, 2024
c4-bot-1 added a commit that referenced this issue Jun 22, 2024
@c4-bot-1
SpicyMeatball issue #7
cd613a9
@c4-bot-12 c4-bot-12 added the 🤖_10_group AI based duplicate group recommendation label Jul 2, 2024
@howlbot-integration howlbot-integration bot added sufficient quality report This report is of sufficient quality duplicate-114 labels Jul 4, 2024
@C4-Staff
Copy link

C4-Staff commented Jul 8, 2024

CloudEllie marked the issue as duplicate of #218

@c4-judge
Copy link
Contributor

hansfriese marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jul 11, 2024
@c4-judge
Copy link
Contributor

hansfriese changed the severity to 2 (Med Risk)

@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Jul 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-218 🤖_10_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@c4-judge @C4-Staff @c4-bot-3 @c4-bot-12