search

code-423n4 / 2022-10-inverse-findings

0 stars 0 forks source link

`replenishmentPriceBps` can be set arbitrarily high by the operator #570

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/DBR.sol#L62-L65

Vulnerability details

Impact

The operator can increase the debt of a user with any deficit, beyond what is reasonable.

Proof of Concept

replenishmentPriceBps can be set arbitrarily high by the operator:

function setReplenishmentPriceBps(uint newReplenishmentPriceBps_) public onlyOperator {
    require(newReplenishmentPriceBps_ > 0, "replenishment price must be over 0");
    replenishmentPriceBps = newReplenishmentPriceBps_;
}

This is used in DBR.onForceReplenish():

function onForceReplenish(address user, uint amount) public {
    require(markets[msg.sender], "Only markets can call onForceReplenish");
    uint deficit = deficitOf(user);
    require(deficit > 0, "No deficit");
    require(deficit >= amount, "Amount > deficit");
    uint replenishmentCost = amount * replenishmentPriceBps / 10000;
    accrueDueTokens(user);
    debts[user] += replenishmentCost;
    _mint(user, amount);
}

If the user has any deficit, say 1 wei, then by setting newReplenishmentPriceBps to unreasonablyHighNumber (by mistake or otherwise) if someone calls DBR.onForceReplenish() the users debt will be increased by unreasonablyHighNumber/10000.

Tools Used

Code inspection

Recommended Mitigation Steps

Set an (potentially still quite high) upper bound for replenishmentPriceBps and require that it be lower than this in the setter function and the constructor.

c4-judge commented 1 year ago

0xean marked the issue as duplicate

Simon-Busch commented 1 year ago

Issue marked as satisfactory as requested by 0xean

c4-judge commented 1 year ago

Simon-Busch marked the issue as duplicate of #301