search

Fujicracy / fuji-v2

Cross-chain money market aggregator
https://fuji-v2-frontend.vercel.app
15 stars 10 forks source link

First borrower receives all shares when debtSharesSupply is 0, leading to loss for subsequent borrower. #295

Closed rajatbeladiya closed 1 year ago

rajatbeladiya commented 1 year ago

Affected Contract

BorrowingVault.sol

https://github.com/Fujicracy/fuji-v2/blob/50fd0b74ccee1a73a459118e50e044a2bcfacd10/packages/protocol/src/vaults/borrowing/BorrowingVault.sol#L419

Description

The _convertDebtToShares() function in the BorrowingVault contract returns debt as shares when the debtSharesSupply is 0. This results in the first borrower receiving all the shares and subsequent borrower getting fewer shares than they should.

https://github.com/Fujicracy/fuji-v2/blob/50fd0b74ccee1a73a459118e50e044a2bcfacd10/packages/protocol/src/vaults/borrowing/BorrowingVault.sol#L419

Scenario:

  1. Alice borrow initial debt and receives 100 shares
  2. Bob will borrow after alice he will get less shares approx 50.

Impact:

this will be loss for the first borrower because he will get more shares of debt. he needs to repay more in terms of other users.

Severity:

High

Recommendation:

Uniswap solves this problem by sending 1000 tokens to zero address. similarly you should send some amount of initial shares to zero address.

0xdcota commented 1 year ago

The inflation attack was resolved in pull request #541.