code423n4 commented 3 years ago

Handle

@cmichelio

Vulnerability details

Vulnerability Details

The UniswapConfig.getTokenConfigBySymbolHash function does not work as getSymbolHashIndex returns 0 if there is no config token for that symbol (uninitialized map value), but the outer function implements the non-existence check with -1.

The same issue occurs also for:

getTokenConfigByCToken
getTokenConfigByUnderlying

Impact

When encountering a non-existent token config, it will always return the token config of the first index (index 0) which is a valid token config for a completely different token. This leads to wrong oracle prices for the actual token which could in the worst case be used to borrow more tokens at a lower price or borrow more tokens by having a higher collateral value, essentially allowing undercollateralized loans that cannot be liquidated.

Recommended Mitigation Steps

Fix the non-existence check.

ghoul-sol commented 3 years ago

Duplicate of #24

ghoul-sol commented 3 years ago

UniswapConfig has been refactored. Index 0 is considered a non-existent config and all comparison are against that value.

code-423n4 / 2021-04-basedloans-findings

UniswapConfig getters return wrong token config if token config does not exist #37

Handle

Vulnerability details

Vulnerability Details

Impact

Recommended Mitigation Steps