search

code-423n4 / 2023-08-goodentry-findings

3 stars 2 forks source link

OptionsPositionManager.addDust function can cause reverts when the token decimals are greater than 20 or small enough to inflate dust amount #540

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/PositionManager/OptionsPositionManager.sol#L546-L547

Vulnerability details

Impact

The addDust function in the OptionsPositionManager contract has a vulnerability in its scale calculation, which can cause reverts when the token decimals are greater than 20 or too small. The calculation of the scale0 and scale1 variables is not stable and can lead to issues with arithmetic underflow or excessive inflation of dust values. This issue impacts the operability of the closeDebt function for tokens with large decimals or small decimals like USDC. This could prevent users from being able to repay their debts properly, potentially locking up their funds.

Proof of Concept

If a token has decimals greater than 20 is used as underlying asset, the scale calculation in the addDust function will fail due to arithmetic underflow. If a token has small decimals, the smaller it gets, the more inflated value addDust function will return. Both scenario can result in reverts (arithmetic underflow & insufficient funds) when users try to use the closeDebt function to repay their debts, effectively rendering the operation inoperable for certain tokens.

544:  function addDust(address debtAsset, address token0, address token1) internal returns (uint amount){
545:    IAaveOracle oracle = TokenisableRange(debtAsset).ORACLE();
546:    uint scale0 = 10**(20 - ERC20(token0).decimals()) * oracle.getAssetPrice(token0) / 1e8; // <= FOUND: addDust's scale calculation is not stable.
547:    uint scale1 = 10**(20 - ERC20(token1).decimals()) * oracle.getAssetPrice(token1) / 1e8; // <= FOUND

Tools Used

Manual review

Recommended Mitigation Steps

Use a fixed amount to calculate scales in the addDust function, rather than relying on dynamic calculations based on token decimals.

Assessed type

Decimal

c4-pre-sort commented 1 year ago

141345 marked the issue as duplicate of #412

c4-judge commented 1 year ago

gzeon-c4 changed the severity to QA (Quality Assurance)