Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: match delta p2pDisabled #1453

Merged
merged 7 commits into from
Dec 5, 2022
Merged

fix: match delta p2pDisabled #1453

merged 7 commits into from
Dec 5, 2022

Conversation

MathisGD
Copy link
Collaborator

@MathisGD MathisGD commented Nov 25, 2022
edited by MerlinEgalite
Loading

Issue: when the peer-to-peer is disabled, anyone can match deltas (and so re-create new p2p). It should not be possible.

Fix: https://github.com/spearbit-audits/morpho-novemberAudit/issues/28

@MathisGD MathisGD changed the title fix: prevent match delta when the p2p is disabled fix: match delta p2pDisabled Nov 27, 2022
MerlinEgalite
MerlinEgalite requested changes Nov 27, 2022
View reviewed changes
Copy link
Contributor

@MerlinEgalite MerlinEgalite left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we should point this PR to an upgrade-1 branch

contracts/aave-v3/EntryPositionsManager.sol Show resolved Hide resolved
@MathisGD MathisGD marked this pull request as ready for review November 27, 2022 15:36
QGarchery
QGarchery requested changes Nov 28, 2022
View reviewed changes
Copy link
Collaborator

@QGarchery QGarchery left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. One additional test would be nice, but we can put that in an issue for now, as you wish

contracts/aave-v3/EntryPositionsManager.sol Show resolved Hide resolved
test-foundry/aave-v3/TestP2PDisable.t.sol Show resolved Hide resolved
@MathisGD
Copy link
Collaborator Author

I don't think this will be part of the upgrade-0...

Why not btw ? We can put it in the fixes batch no ?

@MathisGD MathisGD changed the base branch from main to upgrade-0 November 29, 2022 00:09
QGarchery
QGarchery approved these changes Nov 29, 2022
View reviewed changes
test-foundry/aave-v2/TestP2PDisable.t.sol Outdated Show resolved Hide resolved
@MathisGD MathisGD mentioned this pull request Nov 29, 2022
Closed
Rubilmax
Rubilmax reviewed Nov 30, 2022
View reviewed changes
Copy link
Collaborator

@Rubilmax Rubilmax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great! Could we store the boolean p2pDisabled as a variable as it's used twice?

config/eth-mainnet/compound/Config.sol Outdated Show resolved Hide resolved
test-foundry/aave-v2/TestP2PDisable.t.sol Show resolved Hide resolved
MerlinEgalite
MerlinEgalite requested changes Dec 2, 2022
View reviewed changes
Copy link
Contributor

@MerlinEgalite MerlinEgalite left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some questions/suggestions

test-foundry/compound/TestP2PDisable.t.sol Show resolved Hide resolved
test-foundry/compound/TestP2PDisable.t.sol Show resolved Hide resolved
test-foundry/compound/TestP2PDisable.t.sol Show resolved Hide resolved
@MathisGD MathisGD mentioned this pull request Dec 2, 2022
Closed
MerlinEgalite
MerlinEgalite requested changes Dec 2, 2022
View reviewed changes
Copy link
Contributor

@MerlinEgalite MerlinEgalite left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has been resolved without commit being pushed, perhaps you forget to push

@MathisGD
Copy link
Collaborator Author

MathisGD commented Dec 2, 2022

This has been resolved without commit being pushed, perhaps you forget to push

Yes lol

@MrToph
Copy link

MrToph commented Dec 5, 2022

looks good to me.

Just to clarify/document: The reason why we're only preventing this for supply and borrow and not for repay and withdraw is that for repay and withdraw, while we're also reducing the delta, we're not actually creating new p2p credit lines (p2pAmount also decreases, so the diff is zero). It can be seen as if we're unmatching our own p2p balance, reducing the delta, shifting our p2p balance to on pool, and then withdrawing from the pool.

StErMi
StErMi reviewed Dec 5, 2022
View reviewed changes
contracts/compound/PositionsManager.sol
@@ -251,11 +251,12 @@ contract PositionsManager is IPositionsManager, MatchingEngine {
SupplyVars memory vars;
vars.poolBorrowIndex = lastPoolIndexes[_poolToken].lastBorrowPoolIndex;
vars.remainingToSupply = _amount;
bool p2pDisabled = p2pDisabled[_poolToken];
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The local p2pDisabled variable is shadowing the state variable p2pDisabled

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that this is common enough in the codebase. You think that this is an issue ?

For me the type system of Solidity does the job of preventing any confusion.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that this specifically is a problem, but if you can avoid it, it would be much better. For the same reason, I have created an information issue for all the other instances I've found about shadowing a state variable.

See https://swcregistry.io/docs/SWC-119 for more info about the problem.

Copy link
Collaborator Author

@MathisGD MathisGD Dec 5, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that it would be better if avoided, but it should not be at the cost of adding new variable names for the same thing everywhere.
For next iterations, we should agree on a naming convention for stack and memory variables that removes any ambiguity.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merging it, for now, we'll discuss this point and find a general solution for this

@MerlinEgalite MerlinEgalite merged commit 9960c1d into upgrade-0 Dec 5, 2022
@MerlinEgalite MerlinEgalite deleted the fix/match-delta branch December 5, 2022 16:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@StErMi StErMi StErMi left review comments

@MerlinEgalite MerlinEgalite MerlinEgalite approved these changes

@QGarchery QGarchery QGarchery approved these changes

@pakim249CAL pakim249CAL pakim249CAL approved these changes

@Rubilmax Rubilmax Awaiting requested review from Rubilmax

Assignees
No one assigned
Labels
👻 aave-v2 👻 aave-v3 🟢 compound 🧪 testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@MathisGD @MrToph @StErMi @Rubilmax @QGarchery @MerlinEgalite @pakim249CAL