bin2chen - getTargetExternalLendingAmount() targetAmount may far less than the correct value #52
Labels
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
|
1 comment(s) were left on this issue during the judging contest. takarez commented:
|
sherlock-admin2
changed the title
sherlock-admin2
added
Reward
|
The protocol team fixed this issue in PR/commit notional-finance/contracts-v3#25. |
|
The Lead Senior Watson signed-off on the fix. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
bin2chen
medium
getTargetExternalLendingAmount() targetAmount may far less than the correct value
Summary
When calculating
ExternalLending.getTargetExternalLendingAmount(),it restricts
targetAmountgreater thanoracleData.maxExternalDeposit.However, it does not take into account that
oracleData.maxExternalDepositincludes the protocol depositcurrentExternalUnderlyingLendThis may result in the returned quantity being far less than the correct quantity.
Vulnerability Detail
in
getTargetExternalLendingAmount()It restricts
targetAmountgreater thanoracleData.maxExternalDeposit.this is :
targetAmount = min(targetExternalUnderlyingLend, maxExternalUnderlyingLend, oracleData.maxExternalDeposit)The problem is that when calculating
oracleData.maxExternalDeposit, it does not exclude the existing depositcurrentExternalUnderlyingLendof the current protocol.For example:
currentExternalUnderlyingLend = 100targetExternalUnderlyingLend = 100maxExternalUnderlyingLend = 10000oracleData.maxExternalDeposit = 0(All AAVE deposits include the current depositcurrentExternalUnderlyingLend)If according to the current calculation result:
targetAmount=0, this will result in needing to withdraw100. (currentExternalUnderlyingLend - targetAmount)In fact, only when the calculation result needs to increase the
deposit(targetAmount > currentExternalUnderlyingLend), it needs to be restricted bymaxExternalDeposit.The correct one should be neither deposit nor withdraw, that is,
targetAmount=currentExternalUnderlyingLend = 100.Impact
A too small
targetAmountwill cause the withdrawal of deposits that should not be withdrawn, damaging the interests of the protocol.Code Snippet
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/internal/balances/ExternalLending.sol#L89C1-L97C11
Tool used
Manual Review
Recommendation
Only when
targetAmount > currentExternalUnderlyingLendis a deposit needed, it should be considered that it cannot exceedoracleData.maxExternalDepositfunction getTargetExternalLendingAmount( Token memory underlyingToken, PrimeCashFactors memory factors, RebalancingTargetData memory rebalancingTargetData, OracleData memory oracleData, PrimeRate memory pr ) internal pure returns (uint256 targetAmount) { ... - targetAmount = SafeUint256.min( - // totalPrimeCashInUnderlying and totalPrimeDebtInUnderlying are in 8 decimals, convert it to native - // token precision here for accurate comparison. No underflow possible since targetExternalUnderlyingLend - // is floored at zero. - uint256(underlyingToken.convertToExternal(targetExternalUnderlyingLend)), - // maxExternalUnderlyingLend is limit enforced by setting externalWithdrawThreshold - // maxExternalDeposit is limit due to the supply cap on external pools - SafeUint256.min(maxExternalUnderlyingLend, oracleData.maxExternalDeposit) - ); + targetAmount = SafeUint256.min(uint256(underlyingToken.convertToExternal(targetExternalUnderlyingLend)),maxExternalUnderlyingLend); + if (targetAmount > oracleData.currentExternalUnderlyingLend) { //when deposit , must check maxExternalDeposit + uint256 forDeposit = targetAmount - oracleData.currentExternalUnderlyingLend; + if (forDeposit > oracleData.maxExternalDeposit) { + targetAmount = targetAmount.sub( + forDeposit - oracleData.maxExternalDeposit + ); + } + }The text was updated successfully, but these errors were encountered: