User can Repay all his Debt and leave the protocol with his uncleared deficit #385
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-583
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L531
Vulnerability details
Impact
When a user wants to Repay his borrowed
Dola
, the protocol only checks if theDola
he wants to repay is less than or equal to his actual debt as per that particular Market. This means he can repay all his loan in one go and leave the protocol with his uncleared deficit.Proof of Concept
A user repays his debt by calling the repay function.
This function does the following check:
Once the above condition is cleared, the relevant state variables are updated. After this, the onRepay function in
DBR.sol
is called which accrues the DBR tokens he owes to the protocol.Once the user has successfully repaid his debt, he can withdraw all his collateral and leave the protocol with his uncleared debt.
Ideally, the protocol shouldn't allow the user to leave with his deficit uncleared.
A POC was created to show this:
The Logs printed out were:
You can see that his deficit is around 37000, but his
WithdrawalLimit
, is still the original 1 eth which he deposited in the beginning.Tools Used
VS code, Foundry
Recommended Mitigation Steps
Check the deficit of the user before proceeding with the repayment. Deficit should be zero for user to be able to repay his debt.
The text was updated successfully, but these errors were encountered: