Incorrect validation in validateVariablePoolHasEnoughLiquidity will cause DoS of the protocol's major functions #7
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-218
🤖_10_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/CapsLibrary.sol#L68
https://github.com/aave/aave-v3-core/blob/6070e82d962d9b12835c88e68210d0e63f08d035/contracts/protocol/libraries/logic/SupplyLogic.sol#L67
Vulnerability details
Impact
The
validateVariablePoolHasEnoughLiquidity
function does not properly validate liquidity in the Aave pool, resulting in DoS in thebuyCreditMarket
,sellCreditMarket
andliquidateWithReplacement
functions.https://github.com/code-423n4/2024-06-size/blob/main/src/Size.sol#L184
https://github.com/code-423n4/2024-06-size/blob/main/src/Size.sol#L194
https://github.com/code-423n4/2024-06-size/blob/main/src/Size.sol#L243
Proof of Concept
The
validateVariablePoolHasEnoughLiquidity
function assumes that Aave stores assets in the v3 pool contract:But it's not right, according to the Aave
SupplyLogic.sol
, assets are forwarded to the correspondingaTokenAddess
:Aave v3 pool doesn't hold any tokens:
https://etherscan.io/address/0x87870bca3f3fd6335c3f4ce8392d69350b4fa4e2
Aave v3 USDC aToken holds all assets:
https://etherscan.io/address/0x98c23e9d8f34fefb1b7bd6a91b7ff122f4e16f5c
With all being said,
validateVariablePoolHasEnoughLiquidity
will always revert for non-zero amounts.Tools Used
Manual review
Recommended Mitigation Steps
Assessed type
DoS
The text was updated successfully, but these errors were encountered: