Unprotected Ether Withdrawal

[code423n4]

Lines of code

https://github.com/code-423n4/2023-01-numoen/blob/main/src/core/Lendgine.sol#L152

Vulnerability details

Description

Due to missing or insufficient access controls, malicious parties can withdraw some or all Ether from the contract account.

This bug is sometimes caused by unintentionally exposing initialization functions. By wrongly naming a function intended to be a constructor, the constructor code ends up in the runtime byte code and can be called by anyone to re-initialize the contract.

https://swcregistry.io/docs/SWC-105

Impact

Unprotected (external/public) function calls sending Ether/tokens to user-controlled addresses may allow users to withdraw unauthorized funds.

Proof of Concept

File: src/core/Lendgine.sol

  function withdraw(
    address to,
    uint256 size
  )
    external
    override
    nonReentrant
    returns (uint256 amount0, uint256 amount1, uint256 liquidity)
  {
    _accrueInterest();

    uint256 _totalPositionSize = totalPositionSize; // SLOAD
    uint256 _totalLiquidity = totalLiquidity; // SLOAD
    uint256 totalLiquiditySupplied = _totalLiquidity + totalLiquidityBorrowed;

    Position.Info memory positionInfo = positions[msg.sender]; // SLOAD
    liquidity = Position.convertPositionToLiquidity(size, totalLiquiditySupplied, _totalPositionSize);

    if (liquidity == 0 || size == 0) revert InputError();

    if (size > positionInfo.size) revert InsufficientPositionError();
    if (liquidity > _totalLiquidity) revert CompleteUtilizationError();

    positions.update(msg.sender, -SafeCast.toInt256(size), rewardPerPositionStored);
    totalPositionSize -= size;
    (amount0, amount1) = burn(to, liquidity);

    emit Withdraw(msg.sender, size, liquidity, to);
  }

Recommended Mitigation Steps

Implement controls so withdrawals can only be triggered by authorized parties or according to the specs of the smart contract system.

[c4-judge]

berndartmueller marked the issue as unsatisfactory: Invalid