search

code-423n4 / 2023-05-venus-findings

2 stars 1 forks source link

Integer overflow of supplyCap can lead to an unwanted amount of supply tokens being distributed #476

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-venus/blob/8be784ed9752b80e6f1b8b781e2e6251748d0d7e/contracts/Comptroller.sol#L262-L269

Vulnerability details

Impact

The lack of an else condition when checking if the supplycap != uint(256).max can lead to rewards being distributed beyond intended supplyCap.

Proof of Concept

The function preMintHook includes a condition to revert if nextTotalSupply > supplyCap but, this is only if supplyCap != type(uint256).max If supplyCap == type(uint256).max rewards can still be distributed as there is no else condition to revert the function. This will lead to an unexpected amount of tokens being distributed.

See code block below:

   if (supplyCap != type(uint256).max) {
            uint256 vTokenSupply = VToken(vToken).totalSupply();
            Exp memory exchangeRate = Exp({ mantissa: VToken(vToken).exchangeRateStored() });
            uint256 nextTotalSupply = mul_ScalarTruncateAddUInt(exchangeRate, vTokenSupply, mintAmount);
            if (nextTotalSupply > supplyCap) {
                revert SupplyCapExceeded(vToken, supplyCap);
            }
        }

Tools Used

Manual Review

Recommended Mitigation Steps

Add an else condition to ensure tokens are not distributed past type(uint256).max when supplyCap == type(uint256).max

    if (supplyCap != type(uint256).max) { //@note if the app on supply is not integer max then continue 
            uint256 vTokenSupply = VToken(vToken).totalSupply();
            Exp memory exchangeRate = Exp({ mantissa: VToken(vToken).exchangeRateStored() });
            uint256 nextTotalSupply = mul_ScalarTruncateAddUInt(exchangeRate, vTokenSupply, mintAmount);
            if (nextTotalSupply > supplyCap) { 
                revert SupplyCapExceeded(vToken, supplyCap);
            }
        }else{
                //if supplyCap == type(uint256).max
                revert SupplyCapExceeded(vToken, supplyCap);
        }

Assessed type

Under/Overflow

c4-judge commented 1 year ago

0xean marked the issue as unsatisfactory: Insufficient quality