bin2chen - getTargetExternalLendingAmount() targetAmount may far less than the correct value #52
Labels
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
bin2chen
medium
getTargetExternalLendingAmount() targetAmount may far less than the correct value
Summary
When calculating
ExternalLending.getTargetExternalLendingAmount()
,it restricts
targetAmount
greater thanoracleData.maxExternalDeposit
.However, it does not take into account that
oracleData.maxExternalDeposit
includes the protocol depositcurrentExternalUnderlyingLend
This may result in the returned quantity being far less than the correct quantity.
Vulnerability Detail
in
getTargetExternalLendingAmount()
It restricts
targetAmount
greater thanoracleData.maxExternalDeposit
.this is :
targetAmount = min(targetExternalUnderlyingLend, maxExternalUnderlyingLend, oracleData.maxExternalDeposit)
The problem is that when calculating
oracleData.maxExternalDeposit
, it does not exclude the existing depositcurrentExternalUnderlyingLend
of the current protocol.For example:
currentExternalUnderlyingLend = 100
targetExternalUnderlyingLend = 100
maxExternalUnderlyingLend = 10000
oracleData.maxExternalDeposit = 0
(All AAVE deposits include the current depositcurrentExternalUnderlyingLend
)If according to the current calculation result:
targetAmount=0
, this will result in needing to withdraw100
. (currentExternalUnderlyingLend - targetAmount)In fact, only when the calculation result needs to increase the
deposit
(targetAmount > currentExternalUnderlyingLend), it needs to be restricted bymaxExternalDeposit
.The correct one should be neither deposit nor withdraw, that is,
targetAmount=currentExternalUnderlyingLend = 100
.Impact
A too small
targetAmount
will cause the withdrawal of deposits that should not be withdrawn, damaging the interests of the protocol.Code Snippet
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/internal/balances/ExternalLending.sol#L89C1-L97C11
Tool used
Manual Review
Recommendation
Only when
targetAmount > currentExternalUnderlyingLend
is a deposit needed, it should be considered that it cannot exceedoracleData.maxExternalDeposit
The text was updated successfully, but these errors were encountered: