This repository has been archived by the owner on Nov 5, 2023. It is now read-only.
devScrooge - Accrue function is not called before executing some functions #10
Labels
Non-Reward
This issue will not receive a payout
Sponsor Disputed
The sponsor disputed this issue's validity
Won't Fix
The sponsor confirmed this issue will not be fixed
devScrooge
medium
Accrue function is not called before executing some functions
Summary
As the NatSpec comments and documentation indicate, the functions
getDebtValue
,getIsolatedCollateralValue
,getPositionDebt
, on theBlueBerryBank
contract, theaccrue
function should be called first to get the current debt, but it is actually not being called.Vulnerability Detail
The NatSpec lines 340, 420, 431 and also in the Blueberry docs indicates that:
The function should be called after calling the accrue function to get the current debt
.But actually none of these function (
getDebtValue
,getIsolatedCollateralValue
,getPositionDebt
) are calling theaccrue
function before.Impact
No calling the
accrue
function before executing the mentioned function means that the following operations and/or calculations are not done with the actual value of the current debt, thus a non-correct value is being used.Inside the
BlueBerryBank
contract, all of the mentioned functions are called by functions that are called by other functions that implement thepoke
modifier, which in turn calls the accrue function. This means that the debt is going to be updated to the current one so the value will be correct but thegetDebtValue
,getIsolatedCollateralValue
,getPositionDebt
functions are public so future or external implemented contracts can call them and use a non update value for the current debt.Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/BlueBerryBank.sol#L340,
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/BlueBerryBank.sol#L420,
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/BlueBerryBank.sol#L431
Tool used
Manual Review
Recommendation
Add the
poke
modifier to thegetDebtValue
,getIsolatedCollateralValue
,getPositionDebt
functions so that if external contracts call to this functions a correct value of the current debt is going to be used correct.The text was updated successfully, but these errors were encountered: