User cannot repay all debt because at least 1 wei of borrowShare remains.
When repaying all debt with AaveHub.sol#paybackExactAmountETH, 1 wei of borrowShare remains.
Proof of Concept
AaveHub.sol#paybackExactAmountETH function which repays debt is as follows.
On L498, we say that userBorrowShare is 10.
And on 507 the equation which calculates paybackAmount from borrowShare is userBorrowShare * pseudoTotalBorrowAmount / totalBorrowShares + 1.
Here if we say pseudoTotalBorrowAmount = 100, totalBorrowShares = 50, maxPaybackAmount becomes 20 + 1.
And we say actualAmountDeposit = paybackAmount = maxPaybackAmount.
And the equation which calculates borrowShares from paybackAmount is maxPaybackAmount * totalBorrowShares / pseudoTotalBorrowAmount - 1.
So borrowSharesReduction becomes (20 + 1) * 50 / 100 - 1 = 10 - 1.
Therefore, userBorrowShares cannot be removed and 1 wei of borrowShare remains.
Tools Used
Manual Review
Recommended Mitigation Steps
We have to modify all processes of rounding up or down correctly.
For example, mitigation steps for this problem are as follows.
We have to modify MainHelper.sol#paybackAmount function as follows.
2. We have to modify `MainHelper.sol#_calculateShares` function as follows.
```solidity
function _calculateShares(
uint256 _product,
uint256 _pseudo,
bool _maxSharePrice
)
private
pure
returns (uint256)
{
return _maxSharePrice == true
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/MainHelper.sol#L127 https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/MainHelper.sol#L44
Vulnerability details
Impact
User cannot repay all debt because at least
1 wei
ofborrowShare
remains. When repaying all debt withAaveHub.sol#paybackExactAmountETH
,1 wei
ofborrowShare
remains.Proof of Concept
AaveHub.sol#paybackExactAmountETH
function which repays debt is as follows.On L498, we say that
userBorrowShare
is10
. And on 507 the equation which calculatespaybackAmount
fromborrowShare
isuserBorrowShare * pseudoTotalBorrowAmount / totalBorrowShares + 1
. Here if we saypseudoTotalBorrowAmount
= 100,totalBorrowShares
= 50,maxPaybackAmount
becomes20 + 1
. And we sayactualAmountDeposit = paybackAmount = maxPaybackAmount
. And the equation which calculatesborrowShares
frompaybackAmount
ismaxPaybackAmount * totalBorrowShares / pseudoTotalBorrowAmount - 1
. SoborrowSharesReduction
becomes(20 + 1) * 50 / 100 - 1 = 10 - 1
.Therefore,
userBorrowShares
cannot be removed and1 wei
of borrowShare remains.Tools Used
Manual Review
Recommended Mitigation Steps
We have to modify all processes of rounding up or down correctly. For example, mitigation steps for this problem are as follows.
We have to modify
MainHelper.sol#paybackAmount
function as follows.Assessed type
Math