search

Lodestar-Finance / lodestar-protocol

Houses the code for the Lodestar Finance DeFi protocol.
BSD 3-Clause "New" or "Revised" License
10 stars 7 forks source link

not checking current `totalSupplyUnderlying` in `_setMarketSupplyCaps` #14

Closed rajatbeladiya closed 1 year ago

rajatbeladiya commented 1 year ago

Affected Contracts

Comptroller.sol

Severity

Medium

Description

https://github.com/LodestarFinance/lodestar-protocol/blob/cfca1ae275d023a02198798bbcb24b2a1f646776/contracts/Comptroller.sol#L267-L273

supplyCaps[cToken] is used to cap the supply of cToken. It can be set by _setMarketSupplyCaps. mintAllowed() is used to check that allowed to mint tokens.

https://github.com/LodestarFinance/lodestar-protocol/blob/cfca1ae275d023a02198798bbcb24b2a1f646776/contracts/Comptroller.sol#L1114-L1129

suppose current totalSupplyUnderlying is 10000 then it should not let supplyCaps[cToken] to less than 10000. but here _setMarketSupplyCaps is not checking that current totalSupplyUnderlying should be less than newSupplyCap.

mintAllowed is being used in mintFresh() function of CToken.sol. add check for totalSupplyUnderlying <= newSupplyCap to _setMarketSupplyCaps to avoid unintended behavior.

Recommendation

add check for totalSupplyUnderlying <= newSupplyCap in _setMarketSupplyCaps() function.

0xAppo commented 1 year ago

Allowing for the supply and borrow caps to be lower than the current borrow/supply balances is by design