New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Liquidity provider funds may be trapped in the vault via TotalAssets inflation. #319
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-188
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
labels
Jan 18, 2023
code423n4
changed the title
Liquidity provider funds may be trapped in the vault after lender ask for redeem and the vault refinance a new lien.
Liquidity provider funds may be trapped in the vault via TotalAssets inflation.
Jan 19, 2023
c4-judge
added
the
primary issue
Highest quality submission among a set of duplicates
label
Jan 26, 2023
Picodes marked the issue as primary issue |
SantiagoGregory marked the issue as sponsor confirmed |
c4-sponsor
added
the
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
label
Jan 27, 2023
Duplicate with #303 |
c4-judge
added
duplicate-222
and removed
primary issue
Highest quality submission among a set of duplicates
labels
Feb 18, 2023
Picodes marked the issue as duplicate of #222 |
c4-judge
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Feb 18, 2023
Picodes marked the issue as satisfactory |
Picodes marked the issue as not a duplicate |
Picodes marked the issue as duplicate of #188 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-188
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/PublicVault.sol#L332
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/PublicVault.sol#L117
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/PublicVault.sol#L275
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/PublicVault.sol#L359
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/PublicVault.sol#L490
Vulnerability details
Impact
The liquidity provider can lend to public vaults in order to finance vaults. The problem is that the lender can call the redeem() function, then the vault support/refinance a new lien from another vault, then the borrower repay his debt and then the processEpoch() function will be reverted by arithmetic under/overflow error.
The
processEpoch()
will be reverted because there is a problem in the calculation with thetotalAssets()
so the s.yIntercept will be less than the totalAssets and the substract will be reverted by underflow error.The liquidity provider can not get his money because
processEpoch()
will not accumulate thewithdrawReserve
thentransferWithdrawReserve()
function will not transfer the liquidity provider funds to theWithdrawProxy
.In the next test you can see that after the borrower repayment the
totalAssets()
will be inflated.Proof of Concept
I created a test in
AstariaTest.t.sol
:As you can see in the logs, the
totalAssets()
increments more thanyIntercept
causing the underflow.Output:
Tools used
Foundry/Vscode
Recommended Mitigation Steps
Review the totalAssets() calculation. After the borrower repayment the totalAssets() is inflated.
The text was updated successfully, but these errors were encountered: