BigBang Contract: The repay function can be DoSed

[code423n4]

Lines of code

https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/markets/bigBang/BigBang.sol#L728

Vulnerability details

Impact

Users can get DoSed from repaying their debt, which can be very damaging during volatile scenarios.

The same issue is present in the SGLLendingCommon.sol contract _repay function

Proof of Concept

During the _repay function the following code is executed:

userBorrowPart[to] -= part;

It reduces the borrow part of a given user to. The issue arises because the function does not handle the case where part > userBorrowPart[to]; instead, it will fail due to underflow. In volatile scenarios, it is rational to think that users will try to repay all their debt or a big part of it. But, due to the incorrect state handling, an attacker may prevent any user's repayment. For example:

• 1. A Victim is near to being liquidated during a volatile market.
• 2. The victim sends a tx to repay all of his debt.
• 3. An adversary may attack depending on the following scenarios:
     • 3a. The adversary can front-run the victim's transaction repaying only 1 unit.
     • 3b. If there is no public mempool or transactions are FCFS, then the adversary can repay 1 unit blindly, a probabilistic front-running attack.
• 4. The victim may get liquidated.

Severity Rationale

• 1. The attack is costless when the victim wants to make a full repayment. Since USDO uses 18 decimals, 1 unit is almost nothing.
• 2. Even if there is no public mempool, the low cost of the attack and the critical flow that it attacks (repayments) will make it worth it for an adversary to try front-runnings blindly.
• 3. The fix is simple.

Tools Used

Manual Review

Recommended Mitigation Steps

Rewrite the _repay function as:

function _repay(
        address from,
        address to,
        uint256 part
    ) internal returns (uint256 amount) {
        // @audit NOTE: FIX
        if(part > userBorrowPart[to]) {
            part = userBorrowPart[to];
        }

        (totalBorrow, amount) = totalBorrow.sub(part, true);

        userBorrowPart[to] -= part;

        uint256 toWithdraw = (amount - part); //acrrued
        uint256 toBurn = amount - toWithdraw;
        yieldBox.withdraw(assetId, from, address(this), amount, 0);
        //burn USDO
        if (toBurn > 0) {
            IUSDOBase(address(asset)).burn(address(this), toBurn);
        }

        emit LogRepay(from, to, amount, part);
    }

Assessed type

DoS

[c4-pre-sort]

minhquanym marked the issue as low quality report

[minhquanym]

Consider QA

[c4-pre-sort]

minhquanym marked the issue as primary issue

[c4-pre-sort]

minhquanym marked the issue as remove high or low quality report

[c4-sponsor]

0xRektora marked the issue as sponsor confirmed

[c4-judge]

dmvt marked the issue as selected for report