Open code423n4 opened 2 years ago
dupe of #30, but good find
The warden identified a way to desynch the actual amounts of boostedFei for a vault and the system vs the amounts tracked in storage.
Because of this discrepancy the availability of borrowable FEI in the system can be distorted, preventing new borrows.
I do not believe this puts collateral at risk and also believe that the temporary "denial of borrowing" would be quickly fixed by raising caps.
I want to commend the warden for finding a way to break the system invariants, while the system internal accounting has been broken, no meaningful leak of value, extended denial of service or funneling of funds happened.
Liquidations can also still happen at the pool level.
Because of these reasons, I agree with Medium Severity
Lines of code
https://github.com/code-423n4/2022-02-tribe-turbo/blob/66f27fe51083f49f7935e3fe594ab2380b75dee8/src/TurboSafe.sol#L225-L236
Vulnerability details
https://github.com/code-423n4/2022-02-tribe-turbo/blob/66f27fe51083f49f7935e3fe594ab2380b75dee8/src/TurboSafe.sol#L225-L236
In the current implementation, when calling
less()
to withdraw Fei from the Vault and use it to repay debt, if the amount of Fei is bigger than the debt balance, theonSafeLess
hook will usefeiDebt
asThe amount of Fei withdrawn from the Vault
.As a result,
getTotalBoostedForVault[vault]
in TurboMaster will be larger than the actual total amount of Fei being used to boost the Vault.Since the
Turbo Gibber
may impound some of the Safe's collateral and mint a certain amount of Fei and repay the Safe's Fei debt with the newly minted Fei. In that case, the Safe's debt balance can be less than the amount of Fei in Vault. Which constitutes the precondition for theless()
call to case the distortion ofgetTotalBoostedForVault[vault]
.PoC
Given:
collateralFactor
of WBTC = 0.6getBoostCapForCollateral[WBTC]
= 300,000getBoostCapForVault[vault0]
= 300,00010 WBTC
and Boost300,000 Fei
tovault0
On master:
On safe:
Turbo Gibber
impound2 WBTC
and mint100,000 Fei
to repay debt for Alice's Safe.less()
withdraw300,000 Fei
from Vault and repay200,000
debt, in the hook:master.onSafeLess(WBTC, vault0, 200,000)
On master:
On Safe:
20 WBTC
and Boost300,000 Fei
will fail due toBOOSTER_REJECTED
.Recommendation
Change to: