code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/LendingLedger.sol#L129-L143

Vulnerability details

Impact

As the documentation suggests, the (white-listed) markets need to call sync_ledger on every deposit / withdrawal by a user. This function updates the lenderBalance and marketBalance for the lender and lending market. But sync_ledger() should be called automatically as if it not updated by lendingMarket on time, can cause serious accounting error for Lender.

Lender can call claim() function before sync_ledger() intentionally or unknowingly hence creating a huge accounting error.

Proof of Concept

https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/LendingLedger.sol#L129-L143

Tools Used

Manual Analysis

Recommended Mitigation Steps

Call sync_ledger() automatically on every cNOTE deposit/withdrawl to avoid any accounting error or loss of canto tokens.

Assessed type

Math

c4-pre-sort commented 1 year ago

141345 marked the issue as low quality report

c4-pre-sort commented 1 year ago

141345 marked the issue as remove high or low quality report

141345 commented 1 year ago

QA might be more appropriate.

c4-pre-sort commented 1 year ago

141345 marked the issue as duplicate of #270

alcueca commented 1 year ago

This is valid QA

c4-judge commented 1 year ago

alcueca marked the issue as not a duplicate

c4-judge commented 1 year ago

alcueca changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

alcueca marked the issue as grade-a

code-423n4 / 2023-08-verwa-findings

``sync_ledger()`` should be called automatically. #329

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type