Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updating node_wallet.total_funds based on user input is problematic and could mess up with accounting #21

Open
c4-bot-10 opened this issue Apr 29, 2024 · 9 comments
Open

Updating node_wallet.total_funds based on user input is problematic and could mess up with accounting #21

c4-bot-10 opened this issue Apr 29, 2024 · 9 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue edited-by-warden grade-a QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_21_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@c4-bot-10
Copy link
Contributor

c4-bot-10 commented Apr 29, 2024
edited by c4-bot-8
Loading

Lines of code

https://github.com/code-423n4/2024-04-lavarage/blob/main/libs/smart-contracts/programs/lavarage/src/processor/lending.rs#L87

Vulnerability details

Impact

A malicious actor can send SOL directly to a node_wallet (lender's funding account). When the lender withdraws all available SOL amount, ctx.accounts.node_wallet.total_funds will underflow and becomes a big number. This is because ctx.accounts.node_wallet.total_funds is updated based on user input while not considering external direct transfer.

	let from = &ctx.accounts.node_wallet.to_account_info();
	let to = &ctx.accounts.funder;
	**from.try_borrow_mut_lamports()? -= amount;
	**to.try_borrow_mut_lamports()? += amount;
	ctx.accounts.node_wallet.total_funds -= amount;

lending.rs#L87

As a result, the accounting in the protocol for the node and relevant trading pool is messed up as total_funds is a core invariant in the protocol.

Another way of manipulating total_funds:

if the borrower set the fee_receipient to the node account, the ctx.accounts.node_wallet.total_funds will have an incorrect value, because it deducts the interest_share from repay_amount even if fee_receipient was the node account.

  ctx.accounts.node_wallet.total_funds += repay_amount - interest_share;

swapback.rs#L196

Proof of Concept

Included within the impact description above for easiness

Tools Used

Manual analysis

Recommended Mitigation Steps

Always update ctx.accounts.node_wallet.total_funds based on the actual balance (lamports) of node_wallet. This way, we get consistency naturally by design.

Assessed type

Under/Overflow
@c4-bot-10 c4-bot-10 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Apr 29, 2024
c4-bot-6 added a commit that referenced this issue Apr 29, 2024
@c4-bot-6
Koolex issue #21
d9d2992
@c4-bot-11 c4-bot-11 added the 🤖_21_group AI based duplicate group recommendation label Apr 29, 2024
@c4-sponsor
Copy link

piske-alex (sponsor) confirmed

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label May 1, 2024
@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label May 1, 2024
@c4-judge
Copy link
Contributor

c4-judge commented May 1, 2024

alcueca marked the issue as satisfactory

@c4-judge
Copy link
Contributor

c4-judge commented May 1, 2024

alcueca marked the issue as selected for report

@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label May 1, 2024
@DadeKuma
Copy link

DadeKuma commented May 2, 2024

Similar to #30, this seems QA to me. The attacker has zero incentives in doing this and the protocol is not at risk. They are donating money to get nothing in return, which is a self-rekt. total_funds isn't used anywhere, and there isn't a leak of funds.

@koolexcrypto
Copy link

To not repeat the same comment again. Please check this #30 (comment)

Thank you

@alcueca
Copy link

alcueca commented May 3, 2024

I agree with @DadeKuma. While it might be annoying to not be able to trust total_funds, the protocol will function normally. No funds will be lost, and the team will have to find a different way to display the correct data in the frontend. That's about it.

@c4-judge
Copy link
Contributor

c4-judge commented May 3, 2024

alcueca changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels May 3, 2024
@c4-judge
Copy link
Contributor

c4-judge commented May 3, 2024

alcueca marked the issue as not selected for report

@c4-judge c4-judge removed the selected for report This submission will be included/highlighted in the audit report label May 3, 2024
@c4-judge
Copy link
Contributor

c4-judge commented May 3, 2024

alcueca marked the issue as grade-a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue edited-by-warden grade-a QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_21_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@DadeKuma @alcueca @koolexcrypto @c4-judge @c4-sponsor @code4rena-admin @c4-bot-10 @c4-bot-11