Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[M-02] transferring LESS funds from lender than needed #353

Closed
code423n4 opened this issue Jun 26, 2022 · 1 comment
Closed

[M-02] transferring LESS funds from lender than needed #353

code423n4 opened this issue Jun 26, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/lender/Lender.sol#L247-L305

Vulnerability details

Impact

Wrong accounting calculation may result in malfunctioning and loss of funds for the project.

Proof of Concept

https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/lender/Lender.sol#L281-L283
https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/lender/Lender.sol#L297

  • As seen in the lines above, the amount transferred from the lender is after subtracting the fee he actually needs to pay
  • On the other hand, the amount swapped on 'swivel' is the original (but should be the subtracted amount - fee) and this takes out from lender.sol more than received.
  • On other lend functions the accounting is done as I described, the opposite of the current code.

Recommended Mitigation Steps

I recommend doing the accounting like this:

uint256 amount = a[i];
lent += amount; 
uint256 fee = calculateFee(amount);
a[i] -= fee  // correct the amount vector
amountToMint += a[i]  // amount minus the fee

Then

  • transferFrom with corrected lent (including the fees)
  • initiate swivel with the corrected amounts vector a
  • mint only amountToMint to the lender (sum of amounts minus the fees)
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 26, 2022
code423n4 added a commit that referenced this issue Jun 26, 2022
@code423n4
Metatron issue #353
2402df9
@KenzoAgada
Copy link

Duplicate of #201

@sourabhmarathe sourabhmarathe added duplicate This issue or pull request already exists sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") and removed sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") labels Jun 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sourabhmarathe @code423n4 @gzeoneth @KenzoAgada