Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZanyBonzy - Morpho allows onBehalf repayment which can be weaponized to dos full repayment #50

Open
sherlock-admin4 opened this issue Oct 21, 2024 · 0 comments
Open

ZanyBonzy - Morpho allows onBehalf repayment which can be weaponized to dos full repayment #50

sherlock-admin4 opened this issue Oct 21, 2024 · 0 comments

Comments

@sherlock-admin4
Copy link
Contributor

sherlock-admin4 commented Oct 21, 2024
edited by sherlock-admin2
Loading

ZanyBonzy

Medium

Morpho allows onBehalf repayment which can be weaponized to dos full repayment

Summary

Malicious users can frontrun calls to fully delever through deleverToZeroBorrowBalance by repaying dust amounts on behalf of the settoken to continously grief the repayment process.

Root Cause

deleverToZeroBorrowBalance calls the _repayBorrow function which invokes repay in Morpho.

https://github.com/sherlock-audit/2024-10-morpho-x-index/blob/2f125406e0dd3b1fc029b9a47fe97bfbf906fce2/index-protocol/contracts/protocol/modules/v1/MorphoLeverageModule.sol#L733C1-L759C6

    function _repayBorrow(
        ISetToken _setToken,
        MarketParams memory _marketParams,
        uint256 _notionalQuantity,
        uint256 _shares
    )
//... 
        } else {
            _setToken.invokeApprove(_marketParams.loanToken, address(morpho), _notionalQuantity);
>>          _setToken.invokeRepay(
                morpho,
                _marketParams,
                _notionalQuantity,
                0
            );
        }
    }

https://github.com/morpho-org/morpho-blue/blob/d60e123cd7e0bb1b39df7369847717237a7751cd/src/Morpho.sol#L286s

Morpho's repay function is public, allowing users to repay on behalf of anyone, without any limit on how little the amount can be. From the implementation we can see that anyone could repay any other user's debt(or part of it). So when the manager tries to repay the full amount a malicious user could just front-run the transaction and repay 1 wei on behalf of the connector address, thus reverting the transaction due to underflow.

    function repay(
        MarketParams memory marketParams,
        uint256 assets,
        uint256 shares,
        address onBehalf,
        bytes calldata data
    ) external returns (uint256, uint256) {
        Id id = marketParams.id();
        require(market[id].lastUpdate != 0, ErrorsLib.MARKET_NOT_CREATED);
        require(UtilsLib.exactlyOneZero(assets, shares), ErrorsLib.INCONSISTENT_INPUT);
        require(onBehalf != address(0), ErrorsLib.ZERO_ADDRESS);

        _accrueInterest(marketParams, id);

        if (assets > 0) shares = assets.toSharesDown(market[id].totalBorrowAssets, market[id].totalBorrowShares);
        else assets = shares.toAssetsUp(market[id].totalBorrowAssets, market[id].totalBorrowShares);

>>>     position[id][onBehalf].borrowShares -= shares.toUint128();
//...
    }

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

Full repayment DOS due to frontrun.

PoC

No response

Mitigation

Check the shares owned and if they are less than the amount passed to repay, repay just the shares owned
@sherlock-admin2 sherlock-admin2 changed the title Brisk Cherry Aphid - Morpho allows onBehalf repayment which can be weaponized to dos full repayment ZanyBonzy - Morpho allows onBehalf repayment which can be weaponized to dos full repayment Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin4