Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

withdraw() users may can't withdraw underlyingBorrowToken properly #88

Open
c4-bot-9 opened this issue Jul 1, 2024 · 9 comments
Open

withdraw() users may can't withdraw underlyingBorrowToken properly #88

c4-bot-9 opened this issue Jul 1, 2024 · 9 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working insufficient quality report This report is not of sufficient quality M-10 primary issue Highest quality submission among a set of duplicates 🤖_primary AI based primary recommendation 🤖_22_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@c4-bot-9
Copy link
Contributor

c4-bot-9 commented Jul 1, 2024

Lines of code

https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/Size.sol#L162

Vulnerability details

Vulnerability details

We can withdraw underlyingCollateralToken and underlyingBorrowToken by withdraw()

    function withdraw(WithdrawParams calldata params) external payable override(ISize) whenNotPaused {
        state.validateWithdraw(params);
        state.executeWithdraw(params);
@>      state.validateUserIsNotBelowOpeningLimitBorrowCR(msg.sender);
    }

    function executeWithdraw(State storage state, WithdrawParams calldata params) public {
        uint256 amount;
        if (params.token == address(state.data.underlyingBorrowToken)) {
            amount = Math.min(params.amount, state.data.borrowAToken.balanceOf(msg.sender));
            if (amount > 0) {
@>              state.withdrawUnderlyingTokenFromVariablePool(msg.sender, params.to, amount);
            }
        } else {
            amount = Math.min(params.amount, state.data.collateralToken.balanceOf(msg.sender));
            if (amount > 0) {
                state.withdrawUnderlyingCollateralToken(msg.sender, params.to, amount);
            }
        }

        emit Events.Withdraw(params.token, params.to, amount);
    }

From the code above we know that whether we take underlyingCollateralToken or underlyingBorrowToken
will check validateUserIsNotBelowOpeningLimitBorrowCR() ==> collateralRatio() > openingLimitBorrowCR.

This makes sense for taking underlyingCollateralToken, but not for taking underlyingBorrowToken.

Because.

  1. taking the underlyingBorrowToken does not affect the collateralRatio.
  2. the user has already borrowed the funds (with interest accrued and collateralized), it is the user's asset, and should be able to be withdrawn at will, even if it may be liquidated.
  3. openingLimitBorrowCR is still far from being liquidated, and should not restrict the user from withdrawing the borrowed token.

Impact

If the token is already borrowed, just stored in Size and not yet taken, but due to a slight price fluctuation, validateUserIsNotBelowOpeningLimitBorrowCR() fails but is still far from being liquidated, the user may not be able to take the borrowed token.
resulting in the possibility that the user may not be able to withdraw the borrowed funds

Recommended Mitigation

    function withdraw(WithdrawParams calldata params) external payable override(ISize) whenNotPaused {
        state.validateWithdraw(params);
        state.executeWithdraw(params);
+       if (params.token != address(state.data.underlyingBorrowToken)  {
+             state.validateUserIsNotBelowOpeningLimitBorrowCR(msg.sender);
+       }
    }

Assessed type

Context
@c4-bot-9 c4-bot-9 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jul 1, 2024
c4-bot-9 added a commit that referenced this issue Jul 1, 2024
@c4-bot-9
bin2chen issue #88
b5cc1fa
@c4-bot-11 c4-bot-11 added 🤖_22_group AI based duplicate group recommendation 🤖_primary AI based primary recommendation labels Jul 2, 2024
@howlbot-integration howlbot-integration bot added the insufficient quality report This report is not of sufficient quality label Jul 4, 2024
@aviggiano aviggiano added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jul 9, 2024
@aviggiano
Copy link

This is a valid bug and the report is good

Fixed in SizeCredit/size-solidity#124

@hansfriese
Copy link

Nice catch!

@c4-judge
Copy link
Contributor

hansfriese marked the issue as satisfactory

@c4-judge c4-judge reopened this Jul 10, 2024
@c4-judge c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards primary issue Highest quality submission among a set of duplicates labels Jul 10, 2024
@c4-judge
Copy link
Contributor

hansfriese marked the issue as primary issue

@c4-judge
Copy link
Contributor

hansfriese marked the issue as selected for report

@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label Jul 10, 2024
@aviggiano aviggiano mentioned this issue Jul 11, 2024
Open
@c4-judge c4-judge mentioned this issue Jul 11, 2024
Closed
@hansfriese hansfriese mentioned this issue Jul 12, 2024
Closed
@coffiasd
Copy link

coffiasd commented Jul 13, 2024
edited
Loading

code-423n4/2024-06-size-validation#248. I think this submission describe the same issue @hansfriese

@hansfriese
Copy link

@coffiasd
Thanks for your update.
I am checking the validation repo right now and I see some other duplicates also.

@samuraii77
Copy link

samuraii77 commented Jul 15, 2024
edited
Loading

Hi, this issue should be of high severity. The likelihood is very high, imagine a user borrows $1000 and gives $1500 as collateral, his collateral ratio is now 1.5e18. If the price of ETH drops by just 1 cent (or even less), his borrowed funds will be locked. The impact is also high as well.

@hansfriese
Copy link

I still believe Medium is appropriate for the following reasons:

  • The user can withdraw the borrowed funds at the time of borrowing using a multicall.
  • The user can still use the borrowed funds to repay their loan.
  • There is no fund loss; the funds are simply locked for a while.

@hansfriese hansfriese mentioned this issue Jul 21, 2024
Closed
@C4-Staff C4-Staff added the M-10 label Jul 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working insufficient quality report This report is not of sufficient quality M-10 primary issue Highest quality submission among a set of duplicates 🤖_primary AI based primary recommendation 🤖_22_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@aviggiano @coffiasd @hansfriese @c4-judge @C4-Staff @c4-bot-9 @c4-bot-11 @samuraii77