search

code-423n4 / 2023-11-betafinance-findings

1 stars 1 forks source link

interest is still accuring when the market is paused, force user to incur debts #34

Closed c4-submissions closed 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-11-betafinance/blob/0f1bb077afe8e8e03093c8f26dc0b7a2983c3e47/Omni_Protocol/src/OmniToken.sol#L76 https://github.com/code-423n4/2023-11-betafinance/blob/0f1bb077afe8e8e03093c8f26dc0b7a2983c3e47/Omni_Protocol/src/OmniToken.sol#L103

Vulnerability details

Impact

interest is still accuring when the market is paused, force user to incur debts

Proof of Concept

when the function accure is called

the interest is accured after the interest rate is calculated

{
uint256 interestRate = IIRM(irm).getInterestRate(address(this), trancheIndex, totalDeposit, totalBorrow);
interestAmount = (trancheBorrowAmount_ * interestRate * timePassed) / 365 days / IRM_SCALE;
}

the interest rate depends on the time passed as well

the longer time passed, the higher the interest paid

however, even when the market / tranche is paused

the user interest is still accuring

but repay is not a option because the repay function is guarded by whenNotPaused modifier

    function repay(uint96 _subId, address _market, uint256 _amount) external whenNotPaused {

then user cannot make account health and write off debt by repaying

the only option that user has is to deposit more fund to make the account healthy

but when the contract is paused, user can deposit but cannot really withdraw

     function withdraw(uint96 _subId, uint8 _trancheId, uint256 _share) external nonReentrant returns (uint256 amount) {

the withdraw function is guarded by nonReentrant as well

so any fund that user use to make the account health is locked until the contract is paused

Tools Used

Manual

Recommended Mitigation Steps

do not incur interest when the tranche is paused

Assessed type

Timing

JeffCX commented 1 year ago

duplicate of #32

stalinMacias commented 1 year ago

No, this is not a duplicate of #32 , and I think this is even invalid, borrows and deposits should accrue interests even if the tranch is paused, why they should not? Borrowers pay for the time they are using the borrowedCollateral, no matter if the tranch is paused or not, depositors also receive their yield for the time they've lent their assets.

This looks to me like an invalid problem. I'd say #5 is a duplicate of #32, even though #5 also mentions the same about accruing interests if the tranch is paused, it also mentions the fact that repayments are not possible if the OmniPool is paused and the potential consequences of it, such as accounts falling into liquidation and mev risks of accounts getting liquidated.

JeffCX commented 1 year ago

this issue mentions

however, even when the market / tranche is paused

the user interest is still accuring

but repay is not a option because the repay function is guarded by whenNotPaused modifier

which is the main point of #32

the main point for #5

is MEV bot can frontrun user's repayment after user unpause, account can be unhealthy not only because of the interest charge, but also because of the market price

stalinMacias commented 1 year ago

Well, in #32 I mentioned both problems, the fact that users can't repay and the possibility of mev races after the contract is unpaused.

so, based on your comment, both, #5 and #34 would be duplicates at a 50% of #32

JeffCX commented 1 year ago

I see your report from #32

if the account felt into liquidation status, now the users and liquidators will be in a mev run to either repay the debt or liquidate the collateral.

Agree both #5 and #34 and #32 can be group together

c4-judge commented 1 year ago

thereksfour marked the issue as duplicate of #32

c4-judge commented 1 year ago

thereksfour marked the issue as satisfactory