Skip to content
This repository has been archived by the owner on Nov 5, 2023. It is now read-only.

devScrooge - Accrue function is not called before executing some functions #10

Closed
sherlock-admin opened this issue Apr 30, 2023 · 1 comment
Closed

devScrooge - Accrue function is not called before executing some functions #10

sherlock-admin opened this issue Apr 30, 2023 · 1 comment
Labels
Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed

Comments

@sherlock-admin
Copy link
Contributor

devScrooge

medium

Accrue function is not called before executing some functions

Summary

As the NatSpec comments and documentation indicate, the functions getDebtValue, getIsolatedCollateralValue, getPositionDebt, on the BlueBerryBank contract, the accrue function should be called first to get the current debt, but it is actually not being called.

Vulnerability Detail

The NatSpec lines 340, 420, 431 and also in the Blueberry docs indicates that: The function should be called after calling the accrue function to get the current debt.

But actually none of these function (getDebtValue, getIsolatedCollateralValue, getPositionDebt) are calling the accrue function before.

Impact

No calling the accrue function before executing the mentioned function means that the following operations and/or calculations are not done with the actual value of the current debt, thus a non-correct value is being used.

Inside the BlueBerryBank contract, all of the mentioned functions are called by functions that are called by other functions that implement the poke modifier, which in turn calls the accrue function. This means that the debt is going to be updated to the current one so the value will be correct but the getDebtValue, getIsolatedCollateralValue, getPositionDebt functions are public so future or external implemented contracts can call them and use a non update value for the current debt.

Code Snippet

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/BlueBerryBank.sol#L340,
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/BlueBerryBank.sol#L420,
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/BlueBerryBank.sol#L431

Tool used

Manual Review

Recommendation

Add the poke modifier to the getDebtValue, getIsolatedCollateralValue, getPositionDebt functions so that if external contracts call to this functions a correct value of the current debt is going to be used correct.
@github-actions github-actions bot added Medium A valid Medium severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels May 3, 2023
@Gornutz
Copy link

Gornutz commented May 10, 2023

None of these functions are calling accrue since they are view functions and it's saying that the user or @dev should be the one to call accrue first to get the current debt. Additionally, when a user is going modifying their position inside of a leverage position they are accruing all outstanding interest when they attempt to adjust their position.

@Gornutz Gornutz added Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed labels May 10, 2023
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels May 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hrishibhat @Gornutz @sherlock-admin