Closed c4-bot-10 closed 5 months ago
GalloDaSballo marked the issue as insufficient quality report
If an attacker successfully drains liquidity from the lending pools, users who have deposited their funds into those pools may lose their assets, leading to financial losses and a loss of trust in the protocol.
Yes
These are some unclear thoughts, if you think the accounting is not done correctly please provide POC of a depositor being able to withdraw more than they have deposited any way possible. Should be dismissed.
trust1995 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLending.sol#L714-L745 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLending.sol#L724-L732
Vulnerability details
Impact
If an attacker successfully drains liquidity from the lending pools, users who have deposited their funds into those pools may lose their assets, leading to financial losses and a loss of trust in the protocol.
With depleted liquidity, the protocol may not have sufficient funds to fulfill borrowing requests or allow users to withdraw their deposits, effectively halting the core lending and borrowing functionality.
Liquidity-draining attacks can severely damage the reputation of the Wise Lending protocol, eroding user confidence and potentially leading to a decline in adoption and usage.
Proof of Concept
Liquidity-draining attacks pose a significant risk to the Wise Lending protocol, as they aim to exploit vulnerabilities or design flaws to drain funds from lending pools or token reserves. If successful, these attacks can severely impact the protocol's liquidity.
WiseLending
contract, thewithdrawExactAmount
function allows users to withdraw their deposited funds: WiseLending.sol#withdrawExactAmountThe
withdrawExactAmount
function relies on the_handleWithdrawAmount
function to process the withdrawal: _handleWithdrawAmount#L724-L732_The code lacks proper balance checks to ensure that the requested withdrawal amount does not exceed the user's actual deposited balance. The
_preparationsWithdraw
function calculates the withdrawal shares based on the requested amount, but it does not verify if the user has sufficient shares or funds available for withdrawal._So as we can see, the protocol's liquidity management techniques may be flawed, allowing attackers to manipulate the liquidity pools. For example, if the protocol relies solely on the total supply of tokens in the pool to determine liquidity, an attacker could artificially inflate the supply by depositing and withdrawing funds repeatedly, making it appear as if there is more liquidity than available.
Tools Used
VsCode
Recommended Mitigation Steps
Implement strict access controls to ensure that only the rightful owners of deposited funds can initiate withdrawals. This can be achieved by verifying the caller's identity through authentication mechanisms such as digital signatures or access tokens.
Assessed type
Invalid Validation