search

code-423n4 / 2023-05-venus-findings

2 stars 1 forks source link

Whales can freeze all user funds #560

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-venus/blob/8be784ed9752b80e6f1b8b781e2e6251748d0d7e/contracts/VToken.sol#L345-L348

Vulnerability details

Impact

Whales can freeze user funds by adding large amounts of a smaller token, while keeping collateral in other tokens. By accumulating interest in the small token, they will be able to call reduceReserves once the interest increased enough to match the cash balance. This will reduce reserves and cash close to zero, so nobody can redeem the token anymore. But the whale also can't be liquidated to free funds, because he has enough collateral in other tokens!

Proof of Concept

Will follow soon.

Tools Used

Manual review. VSCode.

Recommended Mitigation Steps

Will follow soon.

Assessed type

Other

c4-judge commented 1 year ago

0xean marked the issue as unsatisfactory: Insufficient quality