IMPORTANT NOTE:
For some unknown reason, when reporting in bulk all my issues, the issue below slipped out and was not reported. I know it should not be eligible for rewards, but given its importance, I want to make sure the project takes a look and hopefully fix it regardless.
ValidationLogic's validateHFAndLtvERC20 is called in withdraw operations to make sure user's health factor is above 1. It also does an additional check that if user has any asset with zero LTV collateral, it must be the asset withdrawn right now.
The issue is that users may supply assets on behalf of other users, so if an attacker supplies a zero-ish amount of 0 LTV asset to another user, it will stop them from withdrawing their other assets. During the supply flow, if it is the first supply of some asset it will set usingCollateral as true, so the attack does not need asset to be pre-approved as collateral as shown in POC.
Additionally, to unfreeze withdrawls user must uncollateralize them or withdraw them, but that is not necessarily possible. Both validateSetUseERC20AsCollateral() and validateWithdraw() require the target asset to be active and not paused. If one of these is not true, user actually can't do anything to be able to withdraw their holdings.
Impact
Attacker can inject a negligible holding to a victim and make them unable to withdraw assets, temporarily or permanents.
Proof of Concept
Please copy the POC below to _pool_core_erc20_withdraw.spec.ts:
IMPORTANT NOTE: For some unknown reason, when reporting in bulk all my issues, the issue below slipped out and was not reported. I know it should not be eligible for rewards, but given its importance, I want to make sure the project takes a look and hopefully fix it regardless.
https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/libraries/logic/ValidationLogic.sol#L870
Description
ValidationLogic's validateHFAndLtvERC20 is called in withdraw operations to make sure user's health factor is above 1. It also does an additional check that if user has any asset with zero LTV collateral, it must be the asset withdrawn right now.
The issue is that users may supply assets on behalf of other users, so if an attacker supplies a zero-ish amount of 0 LTV asset to another user, it will stop them from withdrawing their other assets. During the supply flow, if it is the first supply of some asset it will set usingCollateral as true, so the attack does not need asset to be pre-approved as collateral as shown in POC.
Additionally, to unfreeze withdrawls user must uncollateralize them or withdraw them, but that is not necessarily possible. Both validateSetUseERC20AsCollateral() and validateWithdraw() require the target asset to be active and not paused. If one of these is not true, user actually can't do anything to be able to withdraw their holdings.
Impact
Attacker can inject a negligible holding to a victim and make them unable to withdraw assets, temporarily or permanents.
Proof of Concept
Please copy the POC below to _pool_core_erc20_withdraw.spec.ts:
Tools Used
Manual audit
Recommended Mitigation Steps
Do not allow supply of 0 LTV collateral from one user to another.