The function addDust is used in closeDebt to // Add dust to be sure debt reformed >= debt outstanding as stated in the NatSpec, but in the cases of tokens with less decimals, the amount calculated will be way bigger than expected which could make the whole function revert.
Proof of Concept
addDust is used to calculate the debt variable by adding the repayAmount with the value returned from addDust, as can be seen here
https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/PositionManager/OptionsPositionManager.sol#L265
The repayAmount would be a value which will have the decimal places of variableDebtTokenAddress, which is the same as the variable debt tokens from AAVE, since it is an AAVE fork. The variable debt tokens form AAVE have the same decimal places as the underlying assets, so because same thing will be here. Let's assume that the variableDebtTokenAddress of the debt intended to be payed is from USDC.e, a token which the protocol intends to use as per Scoping Details, and has 6 decimals places. TherepayAmountin this case would be a 1e6 type number andaddDust` would be calculated with one of the tokens being USDC so the calculations will look like this :
because of that the debt would be repayAmount which is a 1e6 number + a 1e14 number from addDust, which will make the debt be way bigger than intended, reverting most of the time on checkExpectedBalances, or in very bad cases making the user pay more than intended
Tools Used
Manual review
Recommended Mitigation Steps
Change the logic of addDust function since it add more than just dust in the case of where one of the tokens has less decimals.
Lines of code
https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/PositionManager/OptionsPositionManager.sol#L544-L551
Vulnerability details
Impact
The function
addDust
is used incloseDebt
to // Add dust to be sure debt reformed >= debt outstanding as stated in the NatSpec, but in the cases of tokens with less decimals, the amount calculated will be way bigger than expected which could make the whole function revert.Proof of Concept
addDust
is used to calculate thedebt
variable by adding therepayAmount
with the value returned fromaddDust
, as can be seen here https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/PositionManager/OptionsPositionManager.sol#L265 TherepayAmount
would be a value which will have the decimal places ofvariableDebtTokenAddress
, which is the same as the variable debt tokens from AAVE, since it is an AAVE fork. The variable debt tokens form AAVE have the same decimal places as the underlying assets, so because same thing will be here. Let's assume that thevariableDebtTokenAddress
of the debt intended to be payed is fromUSDC.e
, a token which the protocol intends to use as per Scoping Details, and has 6 decimals places. The
repayAmountin this case would be a 1e6 type number and
addDust` would be calculated with one of the tokens being USDC so the calculations will look like this :scale0
here https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/PositionManager/OptionsPositionManager.sol#L546 would be a 1e2 type number, sincegetAssetPrice
returns a 1e8 number.scale1
would be the USDC one for this case https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/PositionManager/OptionsPositionManager.sol#L547 so the calculation would be a 1e14, sincegetAssetPrice
returns again a 1e8 number, so 1e14 * 1e8 / 1e8 = ~1e14debt
would berepayAmount
which is a 1e6 number + a 1e14 number fromaddDust
, which will make the debt be way bigger than intended, reverting most of the time oncheckExpectedBalances
, or in very bad cases making the user pay more than intendedTools Used
Manual review
Recommended Mitigation Steps
Change the logic of
addDust
function since it add more than just dust in the case of where one of the tokens has less decimals.Assessed type
Math