Closed code423n4 closed 1 year ago
See my comment on #579.
0xean marked the issue as primary issue
08xmt marked the issue as sponsor disputed
Being able to borrow DOLA with 0 DBR is intended behaviour. It allows for easy set-up of DOLA loans, where the loan is partially used to buy DBR tokens, without needing flashloan behaviour. The borrower will be paying the inflated borrowing APY that is set in the market. UI elements will be used to protect normal users from doing this.
Better wording could have been used to describe the behaviour of DBR, as DBR tokens give the right to borrow 1 DOLA without paying interest rates, where borrowing without DBR will make the user subject to high interest rates.
closing as invalid, see #579 for more info.
0xean marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L408-L410 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L389-L401 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L559-L572 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L546-L549 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L531-L539 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L472-L474 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L460-L466
Vulnerability details
Impact
Although https://github.com/code-423n4/2022-10-inverse#fixed-rates-market-protocol-overview states that "one DBR token gives the right to borrow one DOLA for one year", and https://github.com/code-423n4/2022-10-inverse#contracts states that "a DOLA Fed mints DOLA to a market, which is then available to borrow for users holding DBR, using the Borrow function", users who do not own any DBR are still able to call the
borrow
function for borrowing DOLA against the deposited collateral. When this occurs, because the borrower has a DBR deficit, a replenisher could call theforceReplenish
function to increase the borrower's debt. However, the borrower can monitor the replenisher'sforceReplenish
transaction in the mempool and front-runs it by sending arepayAndWithdraw
transaction with a higher gas fee or by ordering suchrepayAndWithdraw
transaction before suchforceReplenish
transaction if the borrower happens to be the relevant miner; after the front-running, the borrower would receive all of the deposited collateral. When the replenisher does not call theforceReplenish
function promptly, such as that the replenisher might notice the borrower's DBR deficit after days or weeks have been passed since the borrower called theborrow
function, the borrower is then able to borrow and utilize DOLA for these days or weeks while getting back all of the deposited collateral at the end without owning any DBR given the front-running is successful. Moreover, the DOLA amount that should be reserved for the DBR owners is borrowed by such borrower and becomes unavailable to the DBR owners, which is unfair to them.https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L408-L410
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L389-L401
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L559-L572
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L546-L549
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L531-L539
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L472-L474
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Market.sol#L460-L466
Proof of Concept
Please add the following test in
src\test\Market.t.sol
. This test will pass to demonstrate the described scenario.Tools Used
VSCode
Recommended Mitigation Steps
The
borrowInternal
function can be updated to only allow the borrower to borrow the DOLA amount that corresponds to the borrower's DBR balance that is available for borrowing DOLA. If the borrower does not own any DBR, then calling this function should revert.