Users can avoid correct estimation of assets and redeem more tokens than would redeem in case of estimation with updated oracle prices.
Proof of Concept
exitMarket function doesn't call oracle.updatePrice before _checkRedeemAllowed check at all.
preRedeemHook and preTransferHook call oracle.updatePrice before _checkRedeemAllowed check, but only for redeemed VToken.
The _checkRedeemAllowed check estimates the user assets liquidity through the _getHypotheticalLiquiditySnapshot function.
_getHypotheticalLiquiditySnapshot calculates snapshot.shortfall with oracle.getUnderlyingPrice(address(asset)) from _safeGetUnderlyingPrice function.
The oracle.updatePrice should be called every time before calling oracle.getUnderlyingPrice for every token but it doesn't in case of Comptroller.sol.
Tools Used
Manual review
Recommended Mitigation Steps
I suggest calling oracle.updatePrice for all assets from users accountAssets in _getHypotheticalLiquiditySnapshot function.
Lines of code
https://github.com/code-423n4/2023-05-venus/blob/8be784ed9752b80e6f1b8b781e2e6251748d0d7e/contracts/Comptroller.sol#L187-L199 https://github.com/code-423n4/2023-05-venus/blob/8be784ed9752b80e6f1b8b781e2e6251748d0d7e/contracts/Comptroller.sol#L292-L299
Vulnerability details
Impact
Users can avoid correct estimation of assets and redeem more tokens than would redeem in case of estimation with updated oracle prices.
Proof of Concept
exitMarket
function doesn't calloracle.updatePrice
before_checkRedeemAllowed
check at all.preRedeemHook
andpreTransferHook
calloracle.updatePrice
before_checkRedeemAllowed
check, but only for redeemedVToken
. The_checkRedeemAllowed
check estimates the user assets liquidity through the_getHypotheticalLiquiditySnapshot
function._getHypotheticalLiquiditySnapshot
calculatessnapshot.shortfall
withoracle.getUnderlyingPrice(address(asset))
from_safeGetUnderlyingPrice
function. Theoracle.updatePrice
should be called every time before callingoracle.getUnderlyingPrice
for every token but it doesn't in case of Comptroller.sol.Tools Used
Manual review
Recommended Mitigation Steps
I suggest calling
oracle.updatePrice
for all assets from usersaccountAssets
in_getHypotheticalLiquiditySnapshot
function.Assessed type
Oracle