search

code-423n4 / 2023-05-venus-findings

2 stars 1 forks source link

When `borrowRateMantissa` is higher than the limit value, VToken contract will be DOS #435

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/VToken.sol#L696

Vulnerability details

Impact

File: VToken.sol
 678     function accrueInterest() public virtual override returns (uint256) {
--skip--
 695         uint256 borrowRateMantissa = interestRateModel.getBorrowRate(cashPrior, borrowsPrior, reservesPrior);
 696 >>      require(borrowRateMantissa <= borrowRateMaxMantissa, "borrow rate is absurdly high");

accrueInterest function will revert if borrowRateMantissa > borrowRateMaxMantissa. This condition is easy to achieve, and the attacker can use other vTokens as collateral to borrow this vToken, which may be triggered, and even the increase in interest debt will also be triggered as time increases.

Once the accrueInterest function reverts, most functions of the VToken contract will be DOS, because accrueInterest is a pre-function of many functions. Can't even repay, liquidate to reduce VToken's debt.

Proof of Concept

  1. The attacker borrowed a large amount of vTokens causing the borrowRateMantissa to exceed the upper limit
  2. VToken contract be DOS

Tools Used

manual

Recommended Mitigation Steps

Repayment, liquidation and other operations are not affected by borrowRateMantissa.

Assessed type

DoS

c4-judge commented 1 year ago

0xean marked the issue as unsatisfactory: Insufficient proof