search

code-423n4 / 2023-12-initcapital-findings

3 stars 3 forks source link

Use WLP as collateral can bypass the supply cap check for underlying asset exposure #10

Open c4-bot-6 opened 10 months ago

c4-bot-6 commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-12-initcapital/blob/a53e401529451b208095b3af11862984d0b32177/contracts/core/InitCore.sol#L107

Vulnerability details

Impact

Use WLP as collateral can bypass the supply cap check for underlying asset exposure

Proof of Concept

User can deposit asset into the lending pool and then mint lending pool and then use lending pool share as collateral to borrow fund

User can also mint WLP and use WLP as collateral to borrow

when the lending pool share is minted, the total asset is subject to the supply cap check

    function mintTo(address _pool, address _to) public virtual nonReentrant returns (uint shares) {
        // check pool status
        PoolConfig memory poolConfig = IConfig(config).getPoolConfig(_pool);
        _require(poolConfig.canMint, Errors.MINT_PAUSED);
        // call mint at pool using _to
        shares = ILendingPool(_pool).mint(_to);
        // check supply cap after mint
        _require(ILendingPool(_pool).totalAssets() <= poolConfig.supplyCap, Errors.SUPPLY_CAP_REACHED);
    }

note the check

      _require(ILendingPool(_pool).totalAssets() <= poolConfig.supplyCap, Errors.SUPPLY_CAP_REACHED);

the intention is to limit the underlying exposure of a underlying asset in lending pool

However, there is no such as check when user collateralize the position via WLP

the protocol intends to support AMM LP as highlight in the white paper

for example,

if the LP token is Uniswap V3 LP

after the LP becomes WLP as collateral,

the user can increase the liquidity worth unlimitedly by calling the function increaseLiquidity , even after collateralizeWLP to bypass the supply cap

https://docs.uniswap.org/contracts/v3/reference/periphery/NonfungiblePositionManager#increaseliquidity

function increaseLiquidity( struct INonfungiblePositionManager.IncreaseLiquidityParams params ) external returns (uint128 liquidity, uint256 amount0, uint256 amount1)

Increases the amount of liquidity in a position, with tokens paid by the msg.sender

Tools Used

Manual Review

Recommended Mitigation Steps

When user collateralize using WLP, check supply cap as well

Assessed type

Token-Transfer

c4-judge commented 10 months ago

hansfriese marked the issue as primary issue

c4-sponsor commented 10 months ago

fez-init (sponsor) disputed

JeffCX commented 10 months ago

I think this is a duplicate of #25

from #25

It should be noted that most DEXs (e.g., Uniswap) allow any user to provide liquidity to any other users position. In practice, this bypasses the collateralization paused functionality.

from this report

the user can increase the liquidity worth unlimitedly by calling the function increaseLiquidity

fez-init commented 10 months ago

This issue is more of a recommendation to check supply cap on wLps, but this seems invalid since LendingPool does not support LP tokens, as LP tokens will be within wLps.

Although this issue also talks about being able to increase wLp infinitely, this issue is different from #25 . #25 is talking breaking the intended behavior when collateralization is supposedly paused and is able to be bypassed. @JeffCX

hansfriese commented 10 months ago

I agree it's different from #25. Downgrade to QA as it shows a lower impact.

c4-judge commented 10 months ago

hansfriese changed the severity to QA (Quality Assurance)

c4-judge commented 10 months ago

hansfriese marked the issue as grade-a