Open c4-bot-4 opened 10 months ago
0xSorryNotSorry marked the issue as sufficient quality report
0xSorryNotSorry marked the issue as primary issue
eswak (sponsor) confirmed
Very clear, thank you 👍
Trumpero marked the issue as satisfactory
Trumpero marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/LendingTerm.sol#L323-L330
Vulnerability details
Description
The
LendingTerm::debtCeiling()
function calculates the min ofcreditMinterBuffer, _debtCeiling and _hardCap
as shown below:However, the above minimum logic is flawed, as it does not always return the minimum of the 3 values.
Impact
As the
min()
calculation is not correct, theLendingTerm::debtCeiling()
might return the incorrect value, and so might return a higher debt ceiling rather than the actual debt ceiling as the function should be returning.LendingTerm::debtCeiling()
is used inGuildToken::_decrementGaugeWeight()
, which will will make this function incorrect as well.Proof of concept
If
creditMinterBuffer
was 3,_debtCeiling
was5
, and_hardCap
was 1, then the min of the 3 values should be_hardCap
which is 1.But instead, this condition becomes true
creditMinterBuffer < _debtCeiling
, which then returnscreditMinterBuffer
, which is incorrect.Severity Justification
This is Medium severity, based on the Code4rena Severity Categorization: https://docs.code4rena.com/awarding/judging-criteria/severity-categorization
2 — Med: Assets not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
Tools Used
Manual review
Recommended Mitigation Steps
Update the
min()
logic to be correct:Assessed type
Other