search

code-423n4 / 2023-10-badger-findings

1 stars 1 forks source link

There is missing overflow check in the flashloan function #315

Closed c4-submissions closed 9 months ago

c4-submissions commented 9 months ago

Lines of code

https://github.com/code-423n4/2023-10-badger/blob/f2f2e2cf9965a1020661d179af46cb49e993cb7e/packages/contracts/contracts/BorrowerOperations.sol#L1100-L1108

Vulnerability details

Impact

The BorrowerOperations.sol contract flashloan function does not check for an overflow when adding the fees to the flashloan amount. This could lead to an issue where the attacker does not need to pay back the flashloan as they will burn 0 tokens.

Proof of Concept

Arithmetic overflow occurs when the result of a mathematical operation exceeds the maximum value that can be stored in a variable. For example, consider a uint256 variable that can store values between 0 and 2²⁵⁶ — 1. If we add 1 to the maximum value that can be stored in a uint256, the result will be 0, which is called an overflow.

    ebtcToken.transferFrom(address(receiver), feeRecipientAddress, fee + amount);

    // Burn amount, from FEE_RECIPIENT
    ebtcToken.burn(feeRecipientAddress, amount);

    emit FlashLoanSuccess(address(receiver), token, amount, fee);

    return true;
}

Tools Used

Manual Review

Recommended Mitigation Steps

Use safeMath library

Assessed type

Under/Overflow

c4-pre-sort commented 9 months ago

bytes032 marked the issue as insufficient quality report

bytes032 commented 9 months ago

Invalid

c4-sponsor commented 9 months ago

GalloDaSballo (sponsor) disputed

jhsagd76 commented 9 months ago

pragma solidity 0.8.17;

c4-judge commented 9 months ago

jhsagd76 marked the issue as unsatisfactory: Invalid