Open c4-bot-9 opened 6 months ago
cryptotechmaker (sponsor) confirmed
dmvt marked the issue as primary issue
cryptotechmaker marked the issue as disagree with severity
I don't think this is an issue @c4-judge (@GalloDaSballo saw you mentioned it in another place)
depositAmount
and repayAmount
are 2 independent parameters. One can deposit 10 because he has another 90 already deposited and repays 100.
The repayAmount
should be converted to part before calling the method by using MagnetarHelper. This or we manually convert it to part in the method itself. What do you think?
dmvt marked the issue as selected for report
On review I agree. As @GalloDaSballo suggested, I don't think this is actually an issue. If the warden would like to provide a written test POC, I'd reinstate. As is I'll be downgrading to low.
dmvt changed the severity to QA (Quality Assurance)
dmvt marked the issue as grade-a
dmvt marked the issue as not selected for report
Lines of code
https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/modules/MagnetarAssetModule.sol#L91-L106
Vulnerability details
Description
In the
depositRepayAndRemoveCollateralFromMarket
function of MagnetarAssetModule contract, there is an option to deposit assets into the YieldBox before repaying user's loan in market. However, it doesn't convert the deposited asset amount to the borrow part for repayment. This results in the risk that the deposited asset amount will mismatch with the part of the borrow that will be repaid.After depositing, this function doesn't check if
data.repayAmount
aligns with the deposited amount. Note that the parameter of the repay function is the borrow part of the loan which will be repaid. The ratio between the borrow amount and the borrow part in a market is not stable, so there is no way to ensure thatdata.repayAmount
is the exact borrow part to repay usingdata.depositAmount
asset tokens.Therefore,
data.repayAmount
can be lower than the exact borrow part that can be repaid from the deposited asset amount, resulting in users losing assets because of depositing more than repaying. The excess assets will be stuck in the Magnetar contract. Otherwise, ifdata.repayAmount
is higher than the maximum borrow part can be repaid, this function will revert due to insufficient assets for repaying.Impact
User may lose their funds or experience DOS attack when using
depositRepayAndRemoveCollateralFromMarket
of Magnetar.Tools Used
Manual review
Recommended Mitigation Steps
In
depositRepayAndRemoveCollateralFromMarket
function, ifdata.depositAmount > 0
, it should recalculate repayAmount by convert from received shares to borrow partAssessed type
Other