When Public Vault A buys out Public Vault B's lien tokens, it does not increase Public Vault A's liensOpenForEpoch, which would result in the lien tokens not being repaid #222
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
H-16
judge review requested
Judge should review this issue
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/VaultImplementation.sol#L313-L351
Vulnerability details
Impact
Vault A can call buyoutLien to buy out Vault B's lien tokens, which calls LienToken.buyoutLien
In LienToken.buyoutLien, it will burn Vault B's lien token and mint a new lien token for Vault A
And, when Vault B is a public vault, the handleBuyoutLien function of Vault B will be called to decrease liensOpenForEpoch
However, when Vault A is a public vault, it does not increase the liensOpenForEpoch of Vault A
Since the liensOpenForEpoch of the public vault decreases when the lien token is repaid, and since the liensOpenForEpoch of public vault A is not increased, then when that lien token is repaid, _payment will fail due to overflow when decreasing the liensOpenForEpoch.
Consider the following case.
Public Vault B holds a lien token and B.liensOpenForEpoch == 1
Public Vault A buys out B's lien token for refinancing, B.liensOpenForEpoch == 0, A.liensOpenForEpoch == 0
borrower wants to repay the loan, in the _payment function, the decreaseEpochLienCount function of Vault A will be called,
A.liensOpenForEpoch--
will trigger an overflow, resulting in borrower not being able to repay the loan, and borrower's collateral will be auctioned off, but in the call to updateVaultAfterLiquidation function will also fail in decreaseEpochLienCount due to the overflowAs a result, the borrower cannot repay the loan and the borrower's collateral cannot be auctioned off, thus causing the depositor of the public vault to suffer a loss
Proof of Concept
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/VaultImplementation.sol#L313-L351
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/LienToken.sol#L835-L843
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/PublicVault.sol#L640-L655
Tools Used
None
Recommended Mitigation Steps
In LienToken.buyoutLien, when the caller is a public vault, increase the decreaseEpochLienCount of the public vault
The text was updated successfully, but these errors were encountered: