Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

seyni - UserManager.updateFrozenInfo cannot be called from UToken #41

Closed
sherlock-admin opened this issue Nov 4, 2022 · 0 comments
Closed

seyni - UserManager.updateFrozenInfo cannot be called from UToken #41

sherlock-admin opened this issue Nov 4, 2022 · 0 comments
Labels
Duplicate High

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Nov 4, 2022
edited
Loading

seyni

medium

UserManager.updateFrozenInfo cannot be called from UToken

Summary

The new version of the contract doesn't allow UserManager.updateFrozenInfo to be called from UToken. Hence, if a borrower is overdue he will not be able to call UToken._repayBorrowFresh to repay his principal.

Vulnerability Detail

When UToken._repayBorrowFresh is called with an overdue borrower as borrower, the call to UToken._repayBorrowFresh will always revert if repayAmount >= interest because updateFrozenInfo is called on the UserManager contract:

            if (isOverdue) {
                // For borrowers that are paying back overdue balances we need to update their
                // frozen balance and the global total frozen balance on the UserManager
                IUserManager(userManager).updateFrozenInfo(borrower, 0);

But UserManager.updateFrozenInfo cannot be called from the UToken contract. Only the Comptroller contract can call this function:

    function updateFrozenInfo(address staker, uint256 pastBlocks) external onlyComptroller returns (uint256, uint256) {
        return _updateFrozen(staker, pastBlocks);
    }

Impact

When a borrower is overdue he will not be able to repay is principal. Any call to UToken._repayBorrowFresh with repayAmount >= interest will revert.

Code Snippet

https://github.com/sherlock-audit/2022-10-union-finance/blob/main/union-v2-contracts/contracts/market/UToken.sol#L624

                IUserManager(userManager).updateFrozenInfo(borrower, 0);

https://github.com/sherlock-audit/2022-10-union-finance/blob/main/union-v2-contracts/contracts/user/UserManager.sol#L881

    function updateFrozenInfo(address staker, uint256 pastBlocks) external onlyComptroller returns (uint256, uint256) {

Tool used

Manual Review

Recommendation

Add access for the UToken contract to UserManager.updateFrozenInfo by using this modifier:

modifier onlyMarketOrComptroller() {
        if (address(uToken) != msg.sender && address(comptroller) != msg.sender) revert AuthFailed();
        _;
    }

Duplicate of #133
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate High
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin