validateVariablePoolHasEnoughLiquidity() misuse liquidity #80
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-218
🤖_primary
AI based primary recommendation
🤖_10_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/CapsLibrary.sol#L68
Vulnerability details
Vulnerability details
validateVariablePoolHasEnoughLiquidity()
Called after
buyCreditMarket()
/sellCreditMarket()
/liquidateWithReplacement()
method executionThe main purpose is a safety mechanism.
But currently using
liquidity = usdc.balanceOf(aave3 pool)
, it's always 0Pool doesn't have a balance,
token
is deposited intoaToken
and not inpool
.https://github.com/aave/aave-v3-core/blob/master/contracts/protocol/libraries/logic/SupplyLogic.sol
Pool.sol
- >SupplyLogic.sol
https://github.com/aave/aave-v3-core/blob/master/contracts/protocol/tokenization/AToken.sol#L104
Impact
Methods at the core of the protocol don't work, e.g.:
buyCreditMarket()
/sellCreditMarket()
/liquidateWithReplacement()
alwaysrevert NOT_ENOUGH_BORROW_ATOKEN_ LIQUIDITY
Recommended Mitigation
Assessed type
Context
The text was updated successfully, but these errors were encountered: