LendgineRouter#checkDeadline can be bypassed if option position is minted through Lendgine#mint() instead

[code423n4]

Lines of code

https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/periphery/LendgineRouter.sol#L141-L143

Vulnerability details

Impact

Minting of power token can bypass deadline check.

Proof of Concept

If the borrower calls mint() in LendgineRouter.sol, there is a checkDeadline parameter to check if deadline < block.timestamp.

  /// @notice Use token1 to completely mint an option position
  function mint(MintParams calldata params) external payable checkDeadline(params.deadline) returns (uint256 shares) {
    address lendgine = LendgineAddress.computeAddress(

  modifier checkDeadline(uint256 deadline) {
    if (deadline < block.timestamp) revert LivelinessError();
    _;
  }

However, if the borrower calls mint() on Lendgine instead to mint the ERC20 Power token, there is not checkDeadline enforced.

  function mint(
    address to,
    uint256 collateral,
    bytes calldata data
  )
    external
    override
    nonReentrant
    returns (uint256 shares)
  {
    _accrueInterest();

    uint256 liquidity = convertCollateralToLiquidity(collateral);

Tools Used

VSCode

Recommended Mitigation Steps

Make sure the function that controls minting of power token can only be called through one contract, like how Pair.sol does it.

[kyscott18]

The core functions are meant to be accessed through the periphery contracts, but they periphery contracts are meant to be swappable so that is why the address of them is not hard coded.

[c4-sponsor]

kyscott18 marked the issue as sponsor acknowledged

[berndartmueller]

The deadline parameter is a safety measure for users. If a user is not using the periphery contracts and instead is directly interacting with the Lendgine core contract, it's the user's very own fault if any issues arise.

[c4-judge]

berndartmueller marked the issue as unsatisfactory: Invalid