Closed pedrovalido closed 1 year ago
check how morpho does it
check deployment scripts. check vanila router PR
chosen option: in the beginning there are not debtShares so no problem.
If someone repays the the vaults debt, we call an admin function with requirements (debt = 0 and debtShares > 0) that borrows input amount -> check input amount ???
[H-1] Someone can execute a Denial of Service on Fuji’s Borrowing vault.
Description
Multiple lending providers offer the option to repay a loan on someone else's behalf. For example, Aave V2 allows this feature.
It's possible for someone to leverage this feature and pay off vault debts. The Fuji vault currently does not handle this case, halting both borrowing and payback, locking collateral for borrowers.
The reason is
convertDebtToShares
would revert due to division by 0While paying a vault's debt is theoretically possible, one may question why someone would do so.
We acknowledge that it is less probable for individuals to pay off significant debts, but in the early stages of the vault, when the debt is minimal or even worth 1 wei, one can pay it on the vault's behalf and execute a denial of service on further debt actions on the vault for a lifetime.
The only option for Fuji in this scenario would be to redeploy the vault and hope that attackers do not grief it again.
Remediation to consider
We couldn't come up with an ideal isolated solution to this problem. Please let us know if you have any ideas.
There are some possible ways, like considering shares to mint equal to debt only in
_convertDebtToShares
, like it's done if the supply of shares is zero. However, this approach would distribute the new debt position over all previous borrowers, which is not ideal and could create additional complexity and attack vectors.Instead, as mitigation after deployment, consider borrowing a significant amount yourself to reduce the likelihood of someone repaying the vault's debt on their own. Even in the extreme case where someone pays off the entire vault's debt, users should still be able to withdraw their funds. Consider adding a test for same.