validateVariablePoolHasEnoughLiquidity() misuse liquidity

[c4-bot-5]

Lines of code

https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/CapsLibrary.sol#L68

Vulnerability details

Vulnerability details

validateVariablePoolHasEnoughLiquidity()
Called after buyCreditMarket()/sellCreditMarket()/liquidateWithReplacement() method execution
The main purpose is a safety mechanism.

   /// @notice Validate that the Variable Pool has enough liquidity to withdraw the amount of cash
   /// @dev Reverts if the Variable Pool does not have enough liquidity
   ///      This safety mechanism prevents takers from matching orders that could not be withdrawn from the Variable Pool.
   ///        Nevertheless, the Variable Pool may still fail to withdraw the cash due to other factors (such as a pause, etc),
   ///        which is understood as an acceptable risk.
   /// @param state The state struct
   /// @param amount The amount of cash to withdraw
   function validateVariablePoolHasEnoughLiquidity(State storage state, uint256 amount) public view {
@>     uint256 liquidity = state.data.underlyingBorrowToken.balanceOf(address(state.data.variablePool));
       if (liquidity < amount) {
           revert Errors.NOT_ENOUGH_BORROW_ATOKEN_LIQUIDITY(liquidity, amount);
       }
   }

But currently using liquidity = usdc.balanceOf(aave3 pool), it's always 0
Pool doesn't have a balance, token is deposited into aToken and not in pool.
https://github.com/aave/aave-v3-core/blob/master/contracts/protocol/libraries/logic/SupplyLogic.sol
Pool.sol - > SupplyLogic.sol

library SupplyLogic {

  function executeSupply(
...

@>  IERC20(params.asset).safeTransferFrom(msg.sender, reserveCache.aTokenAddress, params.amount);

    bool isFirstSupply = IAToken(reserveCache.aTokenAddress).mint(
      msg.sender,
      params.onBehalfOf,
      params.amount,
      reserveCache.nextLiquidityIndex
    );

https://github.com/aave/aave-v3-core/blob/master/contracts/protocol/tokenization/AToken.sol#L104

contract AToken is VersionedInitializable, ScaledBalanceTokenBase, EIP712Base, IAToken {
...
  function burn(
    address from,
    address receiverOfUnderlying,
    uint256 amount,
    uint256 index
  ) external virtual override onlyPool {
    _burnScaled(from, receiverOfUnderlying, amount, index);
    if (receiverOfUnderlying != address(this)) {
@>    IERC20(_underlyingAsset).safeTransfer(receiverOfUnderlying, amount);
    }
  }

Impact

Methods at the core of the protocol don't work, e.g.:buyCreditMarket()/sellCreditMarket()/liquidateWithReplacement() always revert NOT_ENOUGH_BORROW_ATOKEN_ LIQUIDITY

Recommended Mitigation

    function validateVariablePoolHasEnoughLiquidity(State storage state, uint256 amount) public view {
-       uint256 liquidity = state.data.underlyingBorrowToken.balanceOf(address(state.data.variablePool));
+       address aTokenAddress = state.data.variablePool.getReserveData(address(state.data.underlyingBorrowToken)).aTokenAddress
+       uint256 liquidity = state.data.underlyingBorrowToken.balanceOf(aTokenAddress); 
        if (liquidity < amount) {
            revert Errors.NOT_ENOUGH_BORROW_ATOKEN_LIQUIDITY(liquidity, amount);
        }
    }

Assessed type

Context

[C4-Staff]

CloudEllie marked the issue as duplicate of #218

[c4-judge]

hansfriese marked the issue as satisfactory

[c4-judge]

hansfriese changed the severity to 2 (Med Risk)