search

code-423n4 / 2022-04-mimo-findings

0 stars 0 forks source link

INCOMPATIBILITY WITH REBASING/DEFLATIONARY/INFLATIONARY TOKENS CAN RESULT IN UNDERCOLLATERALIZED LOAN #126

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/inception/InceptionVaultsCore.sol#L123 https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/inception/InceptionVaultsCore.sol#L280 https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/inception/InceptionVaultsCore.sol#L306 https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/core/contracts/inception/InceptionVaultsDataProvider.sol#L66

Vulnerability details

INCOMPATIBILITY WITH REBASING/DEFLATIONARY/INFLATIONARY TOKENS CAN RESULT IN UNDERCOLLATERALIZED LOAN

The current version of the codebase does not handle special cases of tokens, e.g. deflationary, rebasing, whose balance changes during transfers or over time. The necessary checks include at least verifying the amount of tokens transferred to contracts before and after the actual transfer to infer any fees/interest. Some function transfers tokens from msg.sender(ie an external user) to the contract but it does not check the return value, which can in some cases result in undercollateralized loans.

Impact

Medium

Proof Of Concept

InceptionVaultsCore.sol line 121

Tools Used

Manual Analysis

Recommended Mitigation Steps

Consider checking the actual balances transferred (balance after-before) or clearly documenting that you do not support deflationary / rebasing / etc tokens.

m19 commented 2 years ago

Duplicate of #61

gzeoneth commented 2 years ago

Considered with #114