Closed code423n4 closed 1 year ago
0xean
commented
1 year ago The warden doesn't show how this actually impacts the protocol more than just be a loss of what amounts to dust (< 1 USD of value). Will downgrade and leave open for sponsor comment prior to moving to QA
c4-judge
commented
1 year ago 0xean changed the severity to 2 (Med Risk)
c4-judge
commented
1 year ago 0xean marked the issue as duplicate of #468
c4-judge
commented
1 year ago 0xean marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol#L359-L434
Vulnerability details
Impact
When calculating _startAuction uint256 usdValue in RiskFund, Auction state divides the value of each market in the vToken list (in token list precision). This skew is fine for most tokens but will cause problems with certain token pairs.
https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Shortfall/Shortfall.sol#L359-L434
Proof of Concept
When calculating the user's usdValue ratio, the result is that the list of certain tokens will be completely broken because of this.
Imagine a pair of tokens like USDC and SHIB. USDC has a token precision of 6 and SHIB has 18. If a user has a list balance of 100,001 SHIB (100.001e18) and a loan of 1 USDC (1e6):
1e6 * 1e18 / 100.001e18 = 0
There are two problems with this. First, most of these tokens will not work. Another issue is that because the usdValue user returns 0, there are circumstances where some token lists are impossible to enumerate by violating the protocol's key invariant.
Any token with very high or very low precision will suffer the consequences.
https://github.com/code-423n4/2023-05-venus/blob/8be784ed9752b80e6f1b8b781e2e6251748d0d7e/contracts/Shortfall/Shortfall.sol#L393
Tools Used
Manual Review
Recommended Mitigation Steps
Depending on the precision of each Token, the ratio is calculated dynamically
Assessed type
Decimal