PaprController._reduceDebt: reverts if amount greater debt which can lead to DOS #208
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-92
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol#L481
https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol#L486-L489
Vulnerability details
Impact
There are two ways to reduce debt.
The first is by calling
PaprController.reduceDebt
(https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol#L148) which burns papr token frommsg.sender
directly.The second is the
PaprController.buyAndReduceDebt
function (https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol#L208) which swaps the underlying token for papr token and then burns the papr token.Both ways internally call
PaprController._reduceDebt
(https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol#L481).The
PaprController._reduceDebt
function reverts if theamount
parameter is bigger than the actual debt in the vault.This is a problem for two reasons:
When a user wants to pay all his debt using the
PaprController.buyAndReduceDebt
function he must perform complex math in order to calculate the amount of input token that results in the exact amount of papr tokenAn attacker can front-run a transaction that repays all debt by paying back 1 Wei. The transaction to pay back the whole debt then reverts
The first issue is more a usability issue than a security issue.
However the second issue can be used to DOS the application. Especially if other protocols integrate with the papr protocol and are not flexible enough to pay back amounts that are smaller than the maximum.
Proof of Concept
PaprController._reduceDebt
callsPaprController._reduceDebtWithoutBurn
(https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol#L486-L489):This reverts if
amount > _vaultInfo[account][asset]
.Tools Used
VSCode
Recommended Mitigation Steps
If
PaprController._reduceDebt
is called with anamount > _vaultInfo[account][asset].debt
, thenamount
should be set to_vaultInfo[account][asset].debt
.So
PaprController._reduceDebt
should look like this:The text was updated successfully, but these errors were encountered: