Lendgine.mint doesn't return overpaid collateral #86

code423n4 · 2023-01-30T13:02:22Z

Lines of code

https://github.com/code-423n4/2023-01-numoen/blob/main/src/core/Lendgine.sol#L71-L102

Vulnerability details

Impact

Lendgine.mint doesn't return overpaid collateral and doesn't provide more liquidity for him.

Proof of Concept

When borrower wants to get liquidity from the pool he calls Lendgine.mint function.
https://github.com/code-423n4/2023-01-numoen/blob/main/src/core/Lendgine.sol#L71-L102

  function mint(
    address to,
    uint256 collateral,
    bytes calldata data
  )
    external
    override
    nonReentrant
    returns (uint256 shares)
  {
    _accrueInterest();


    uint256 liquidity = convertCollateralToLiquidity(collateral);
    shares = convertLiquidityToShare(liquidity);


    if (collateral == 0 || liquidity == 0 || shares == 0) revert InputError();
    if (liquidity > totalLiquidity) revert CompleteUtilizationError();
    // next check is for the case when liquidity is borrowed but then was completely accrued
    if (totalSupply > 0 && totalLiquidityBorrowed == 0) revert CompleteUtilizationError();


    totalLiquidityBorrowed += liquidity;
    (uint256 amount0, uint256 amount1) = burn(to, liquidity);
    _mint(to, shares);


    uint256 balanceBefore = Balance.balance(token1);
    IMintCallback(msg.sender).mintCallback(collateral, amount0, amount1, liquidity, data);
    uint256 balanceAfter = Balance.balance(token1);


    if (balanceAfter < balanceBefore + collateral) revert InsufficientInputError();


    emit Mint(msg.sender, collateral, shares, liquidity, to);
  }

This function calculates amount of liquidity that will be borrowed to the caller, mints him propotional amount of shares and then calls IMintCallback in order to receive collateral from user.
if (balanceAfter < balanceBefore + collateral) revert InsufficientInputError();
This is how amount received from user is checked. It's possible that user will pay more collateral actually. And in this case nothing is sent back to him and also he doesn't receive more liquidity and shares.

Tools Used

VsCode

Recommended Mitigation Steps

Do not allow user to pay more then collateral amount.

The text was updated successfully, but these errors were encountered:

c4-judge · 2023-02-06T17:29:17Z

berndartmueller marked the issue as duplicate of #174

c4-judge · 2023-02-14T15:51:45Z

berndartmueller marked the issue as satisfactory

code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jan 30, 2023

code423n4 added a commit that referenced this issue Jan 30, 2023

rvierdiiev issue #86

a25368e

code423n4 changed the title ~~Pair.mint doesn't return overpaid value~~ Lendgine.mint doesn't return overpaid collateral Jan 30, 2023

code423n4 added the edited-by-warden label Jan 30, 2023

c4-judge closed this as completed Feb 6, 2023

c4-judge added the duplicate-174 label Feb 6, 2023

c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Feb 14, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Lendgine.mint doesn't return overpaid collateral #86

Lendgine.mint doesn't return overpaid collateral #86

code423n4 commented Jan 30, 2023 •

edited

c4-judge commented Feb 6, 2023

c4-judge commented Feb 14, 2023

Lendgine.mint doesn't return overpaid collateral #86

Lendgine.mint doesn't return overpaid collateral #86

Comments

code423n4 commented Jan 30, 2023 • edited

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

c4-judge commented Feb 6, 2023

c4-judge commented Feb 14, 2023

code423n4 commented Jan 30, 2023 •

edited