search

code-423n4 / 2023-05-venus-findings

2 stars 1 forks source link

`borrowRateMaxMantissa` is not check when borrowing #436

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Comptroller.sol#L324

Vulnerability details

Impact

File: VToken.sol
 678     function accrueInterest() public virtual override returns (uint256) {
--skip--
 695         uint256 borrowRateMantissa = interestRateModel.getBorrowRate(cashPrior, borrowsPrior, reservesPrior);
 696 >>      require(borrowRateMantissa <= borrowRateMaxMantissa, "borrow rate is absurdly high");

The VToken contract has borrowRateMaxMantissa, which is used to control the upper limit of borrowRate. But this value is not checked when borrowing. This will cause the borrowRate to be higher than the expected value set by the contract, and will cause the borrow rate to be higher than the expected value.

Proof of Concept

The attacker borrowed a large number of vTokens, causing the borrowRateMantissa to exceed the limit.

Tools Used

manual

Recommended Mitigation Steps

check borrowRateMantissa when borrowing

Assessed type

Invalid Validation

c4-judge commented 1 year ago

0xean marked the issue as primary issue

c4-sponsor commented 1 year ago

chechu marked the issue as sponsor disputed

chechu commented 1 year ago

The max limit of borrowRate is checked here: https://github.com/code-423n4/2023-05-venus/blob/main/contracts/VToken.sol#L696

c4-judge commented 1 year ago

0xean marked the issue as unsatisfactory: Invalid