search

code-423n4 / 2024-01-init-capital-invitational-findings

1 stars 0 forks source link

Overpaid asset is locked in lending pool when flashloan #10

Open c4-bot-4 opened 7 months ago

c4-bot-4 commented 7 months ago

Lines of code

https://github.com/code-423n4/2024-01-init-capital-invitational/blob/a01c4de620be98f9e57a60cf6a82d4feaec54f58/contracts/core/InitCore.sol#L392 https://github.com/code-423n4/2024-01-init-capital-invitational/blob/a01c4de620be98f9e57a60cf6a82d4feaec54f58/contracts/core/InitCore.sol#L380

Vulnerability details

Impact

Overpaid asset in locked when flashloan

Proof of Concept

When flashloan, in this end to code check if the lending pool balance is greater than the consumed balance before flashloan

https://github.com/code-423n4/2024-01-init-capital-invitational/blob/a01c4de620be98f9e57a60cf6a82d4feaec54f58/contracts/core/InitCore.sol#L392

// execute callback
IFlashReceiver(msg.sender).flashCallback(_pools, _amts, _data);
// check pool balance after callback
for (uint i; i < _pools.length; i = i.uinc()) {
    _require(IERC20(tokens[i]).balanceOf(_pools[i]) >= balanceBefores[i], Errors.INVALID_AMOUNT_TO_REPAY);
}

the problem is that in case when user over-pay flashloan,

suppose user flash loan 10000 USDC and then repay 10100 USDC, the 100 USDC is lost and locked in the lending pool because the internal accounting of lending pool use cashAmount to track avaiable balance

but the code above, does not update cash amount after flashloan is finished

Tools Used

Manually review

Recommended Mitigation Steps

while I understand this is an mitigation for finding

https://github.com/code-423n4/2023-12-initcapital-findings/issues/3

the issue above can be resolved (issue 3)

https://github.com/code-423n4/2024-01-init-capital-invitational/blob/a01c4de620be98f9e57a60cf6a82d4feaec54f58/contracts/core/InitCore.sol#L380

// check that flash is enabled
_require(poolConfig.canFlash, Errors.FLASH_PAUSED);

when setModeStatus.canCollateralize and can.Borrow to false

https://github.com/code-423n4/2024-01-init-capital-invitational/blob/a01c4de620be98f9e57a60cf6a82d4feaec54f58/contracts/core/Config.sol#L136

 /// @inheritdoc IConfig
    function setModeStatus(uint16 _mode, ModeStatus calldata _status) external onlyGuardian {
        _require(_mode != 0, Errors.INVALID_MODE);
        __modeConfigs[_mode].status = _status;
        emit SetModeStatus(_mode, _status);
    }

disable all flashloan for all the pool that belongs to a mode

and sync the lending pool balance even user overpays flashloan

Assessed type

Access Control

c4-judge commented 7 months ago

hansfriese marked the issue as primary issue

c4-sponsor commented 7 months ago

fez-init (sponsor) acknowledged

c4-sponsor commented 7 months ago

fez-init marked the issue as disagree with severity

fez-init commented 7 months ago

This should be QA.

hansfriese commented 7 months ago

QA is more appropriate.

c4-judge commented 7 months ago

hansfriese changed the severity to QA (Quality Assurance)