search

code-423n4 / 2023-05-venus-findings

2 stars 1 forks source link

`preBorrowHook` and `preRepayHook` can call `updateRewardTokenBorrowIndex` with old borrowIndex #438

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Comptroller.sol#L377

Vulnerability details

Impact

Under normal circumstances, the user calls VToken.borrow, further calls accrueInterest to update borrowIndex, and then calls preBorrowHook to trigger updateRewardTokenBorrowIndex.

But since preBorrowHook is an externl function, an attacker can directly call updateRewardTokenBorrowIndex without updating borrowIndex. Using the old borrowIndex will cause the calculated reward to be wrong

Proof of Concept

The attacker directly calls updateRewardTokenBorrowIndex to calculate the wrong reward

Tools Used

manual

Recommended Mitigation Steps

        // Keep the flywheel moving
        uint256 rewardDistributorsCount = rewardsDistributors.length;

+       vToken.accrueInterest();
        for (uint256 i; i < rewardDistributorsCount; ++i) {
            rewardsDistributors[i].updateRewardTokenBorrowIndex(vToken, borrowIndex);
            rewardsDistributors[i].distributeBorrowerRewardToken(vToken, borrower, borrowIndex);
        }

Assessed type

Other

c4-judge commented 1 year ago

0xean marked the issue as unsatisfactory: Insufficient proof