Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A borrower can use the liquidity of the vault without paying any fees if he repay in the same block #338

Closed
c4-bot-5 opened this issue Mar 15, 2024 · 5 comments
Closed

A borrower can use the liquidity of the vault without paying any fees if he repay in the same block #338

c4-bot-5 opened this issue Mar 15, 2024 · 5 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-435 🤖_271_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@c4-bot-5
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/V3Vault.sol#L954

Vulnerability details

Impact

A borrower can use the liquidity of the vault without paying any fees. A liquidator can use the liquidity of the protocol to make a liquidation. The functionality to do a liquidation with an Uniswap flashLoan is useless.

Proof of Concept

A borrower can use the liquidity of the vault without paying any fees. A liquidator can use the liquidity of the protocol to make a liquidation. The functionality to do a liquidation with an Uniswap flashLoan is useless.

When a user borrows the protocol increase his debt and he receive the amount that he borrowed. The problem is that a user can repay at any time, he can repay exactly the same amount that he borrowed if he repay in the same block, and basically give him a free flashloan. users could use this to do arbitrages or worse liquidation in the protocol itself. If a position is liquidable and the lend amount is bigger than the debt a liquidator could borrow pay the liquidation cost get the liquidation value repay exactly the same amount. He then performed a liquidation without taking any risk or paying any fees.

You can run this test in the VaultV3.t.sol

 function testFreeFlashloan() external {
    _setupBasicLoan(true);
    (, uint256 fullValue, uint256 collateralValue,,) = vault.loanInfo(TEST_NFT);
    vm.startPrank(TEST_NFT_ACCOUNT);
    USDC.approve(address(vault), collateralValue);
    vault.repay(TEST_NFT,collateralValue,false);
    vm.stopPrank();
    (uint256 debt, , ,,) = vault.loanInfo(TEST_NFT);
    assertEq(debt,0);
   }

Tools Used

Echidna

Recommended Mitigation Steps

The protocol should add a variable in the Loan struct, increment it in the borrow function(L567-L570) add require in the _repay function(L957-L960).

struct Loan {
        uint256 debtShares;
        uint256 timeOfBorrow;
    }

borrow function:

 uint256 loanDebtShares = loan.debtShares + shares;
        loan.debtShares = loanDebtShares;
        loan.timeOfBorrow = block.timestamp; 
        debtSharesTotal += shares;

in the _repay function:

  Loan storage loan = loans[tokenId];
  require(loan.timeOfBorrow> block.timestamp,"Could not repay in the same block");
        uint256 currentShares = loan.debtShares;

Assessed type

MEV
@c4-bot-5 c4-bot-5 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Mar 15, 2024
c4-bot-5 added a commit that referenced this issue Mar 15, 2024
@c4-bot-5
0xPhantom issue #338
d29088b
@c4-bot-12 c4-bot-12 added the 🤖_271_group AI based duplicate group recommendation label Mar 15, 2024
@c4-pre-sort
Copy link

0xEVom marked the issue as duplicate of #435

@c4-pre-sort
Copy link

0xEVom marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Mar 22, 2024
@jhsagd76
Copy link

he needs to swap coll and debt

@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Mar 31, 2024
@c4-judge
Copy link

jhsagd76 changed the severity to 2 (Med Risk)

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Apr 1, 2024
@c4-judge
Copy link

c4-judge commented Apr 1, 2024

jhsagd76 marked the issue as satisfactory

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-435 🤖_271_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jhsagd76 @c4-judge @c4-pre-sort @c4-bot-5 @c4-bot-12