Open code423n4 opened 1 year ago
minhquanym marked the issue as duplicate of #1370
minhquanym marked the issue as not a duplicate
minhquanym marked the issue as primary issue
0xRektora (sponsor) confirmed
dmvt marked the issue as selected for report
Lines of code
https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/Penrose.sol#L395-L397 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/markets/bigBang/BigBang.sol#L242-L255 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/markets/bigBang/BigBang.sol#L180-L201 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/markets/bigBang/BigBang.sol#L512-L520 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/markets/bigBang/BigBang.sol#L309-L317 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/markets/bigBang/BigBang.sol#L263-L271
Vulnerability details
Impact
Following conditions have to be met for this issue to happen:
Penrose.registerBigBang()
being called withdata
param wheredata.debtStartPoint
is nonzero.BigBang.borrow()
, with function paramamount
(borrow amount) has to be less thandebtStartPoint
.Now
BigBang.getDebtRate()
will always revert and the collateral from the first borrower is locked, becauseBigBang.getDebtRate()
is used inBigBang._accrue()
, andBigBang._accrue()
is used in every function that involves totalBorrow like inBigBang.liquidate()
,BigBang.repay()
.The reason for the revert is that in
BigBang.getDebtRate()
,totalBorrow.elastic
which gets assigned to the variable_currentDebt
(line 186 BigBang.sol) will not be 0, and then on line 192 in the BigBang contract, the_currentDebt
is smaller thandebtStartPoint
which causes the revert.As a consequence the collateral is trapped as repay or liquidate requires to call accrue before hand.
Proof of Concept
The following gist contains a proof of concept to demonstrate this issue. A non-ETH bigbang market (wbtc market) is deployed with
Penrose::registerBigBang
. Note that thedebtStartPoint
parameter in the init data is non-zero (set to be 1e18).First we set up the primary eth market: Some weth is minted and deposited to the ETH market. Then some assets were borrowed against the collateral. This is necessary condition for this bug to happen, which is the ETH market to have some borrowed asset. However, this condition is very likely to be fulfilled, as the primary ETH market would be deployed before any non-eth market.
Now, an innocent user is adding collateral and borrows in the non-eth market (the wbtc market). The issue occurs when the user borrows less than the
debtStartPoint
. If the user should borrow less than thedebtStartPoint
, theBigBang::accrue
will revert and the collateral is trapped in this Market.https://gist.github.com/zzzitron/a6d6377b73130819f15f1e5a2e2a2ba9
The bug happens here in the line 192 in the
BigBang
.Tools Used
Manual review
Recommended Mitigation Steps
Consider adding a require statement to
BigBang.borrow()
to make sure that the borrow amount has to be >=debtStartPoint
.Assessed type
Other