TRST-M-1 finding from previous audit still exists

[c4-bot-10]

Lines of code

https://github.com/code-423n4/2023-12-initcapital/blob/main/contracts/core/InitCore.sol#L462

Vulnerability details

Proof of Concept

Issue TRST-M-1 from previous audit still exist.

In order to calculate collateral amount getCollateralCreditCurrent_e36 function is used. https://github.com/code-423n4/2023-12-initcapital/blob/main/contracts/core/InitCore.sol#L462 uint tokenValue_e36 = ILendingPool(pools[i]).toAmtCurrent(shares[i]) * tokenPrice_e36;

tokenValue_e36 is usd value of user's shares in the pool. To calculate amount that pool will return for the shares toAmt function is called and this function will use totalAssets() to calculate output amount. totalAssets() is cash + totalDebt.

In case if syncCash is called, then cash is updated with contract balance.

syncCash is called by InitCore.flash function, which means that it's enough for attacker to get a small flash loan then donate tokens to the pool and syncCash will update cahs varible and as result will increase his collateral.

Thus, issue still exists.

Also in similar way poolConfig.supplyCap can be breached, however i don't see issue in this case as it can be breached even non maliciously just with accrued interest adn flash fees.

Impact

It's possible to add more collateral, even when collateralization is paused.

Tools Used

VsCode

Recommended Mitigation Steps

Don't see how to fix this correctly, maybe change flash repayment flow, so flash loaner needs to approve amount to the init core and core will then send tokens with fee to the pool.

Assessed type

Error

[c4-judge]

hansfriese marked the issue as duplicate of #3

[c4-judge]

hansfriese marked the issue as satisfactory