Open code423n4 opened 1 year ago
141345 marked the issue as low quality report
141345 marked the issue as remove high or low quality report
QA might be more appropriate.
141345 marked the issue as duplicate of #270
This is valid QA
alcueca marked the issue as not a duplicate
alcueca changed the severity to QA (Quality Assurance)
alcueca marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/LendingLedger.sol#L129-L143
Vulnerability details
Impact
As the documentation suggests,
the (white-listed) markets need to call sync_ledger on every deposit / withdrawal by a user
. This function updates thelenderBalance
andmarketBalance
for the lender and lending market. Butsync_ledger()
should be called automatically as if it not updated bylendingMarket
on time, can cause serious accounting error for Lender.Lender can call
claim()
function beforesync_ledger()
intentionally or unknowingly hence creating a huge accounting error.Proof of Concept
https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/LendingLedger.sol#L129-L143
Tools Used
Manual Analysis
Recommended Mitigation Steps
Call
sync_ledger()
automatically on every cNOTE deposit/withdrawl to avoid any accounting error or loss of canto tokens.Assessed type
Math