Closed c4-bot-5 closed 6 months ago
The idea of accounting for aToken rebase is worth reviewing, but the report is lacking in proof and POC
User are not borrowing aToken. The pool token are just parked into aave to earn the extra APY from Aave. When someone borrows from an aave pool, the aToken are withdrawn from Aave and send to the user. There are not aaveDebt token creating extra rebase. In other words user borrow just the underlying token which only has a borrow rate defined by the token borrow rate curve. This reduces the effective amount parked in Aave and has influence on the total extra APY from Aave which is a function of the pool utilization. This is also taken into account when computing the effecitve Aave pool APY and displayed on the UI correcetly, being a proof that this functionallity is intended.
GalloDaSballo marked the issue as primary issue
GalloDaSballo marked the issue as insufficient quality report
trust1995 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/MainHelper.sol#L500-L576
Vulnerability details
before every operator of wise lending, it will call _updatePseudoTotalAmounts to update borrow interest amount to pool.If the pool token is aToken, it will only calculate the interest generated by borrowing amount, and don't take into the rebase increasing amount after borrowing and interest generated.In low borrow rate,increaing amount will exceed borrow interest,and borrower will get benefits from borrowing,it is unreasonable.The borrower can even use repeated deposits and borrows to add leverage and obtain more rebase increasing amounts.
Impact
When positive rebase token (aToken) is borrowed, the amount and interest of the rebase increase are not calculated.
Proof of Concept
before every operator of wise lending, it will call _cleanup function in _preparePool function to add rebase amount or falsely sent amount to pool,and _updatePseudoTotalAmounts to update borrow interest amount to pool.If the pool token is aToken, it will only calculate the interest generated by borrowing amount, and don't calculate the rebase increasing amount after borrowing and interest generated.In low borrow rate,increaing amount may exceed borrow interest,and borrower will get benefits from borrowing,it is unreasonable.
It use syncPool to update lending amount and borrow amount before pool position operation, and it call _syncPoolBeforeCodeExecution to _preparePool:
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLending.sol#L103-L105
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLending.sol#L286-L288
In _preparePool,it will call _cleanup to add rebase amount or falsely sent amount of pool token to gobal pool data and lending data:
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/MainHelper.sol#L372-L384
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/MainHelper.sol#L298-L343
and use _updatePseudoTotalAmounts to update borrow interest:
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/MainHelper.sol#L500-L576
In _updatePseudoTotalAmounts,it calculates interest of aToken based on borrowing amount,and don't take into the rebase increasing amount and interest.
When borrow rate is lower than rebase rate of aToken,, borrower can borrowing to earn, I think it is unreasonable.And borrower can use deposit and borrow to add leverage,make this benefits higher if borrow rate is low.
Tool Used
foundary、vscode
Recommended Mitigation Steps
Taking into aToken rebase in borrowing interest and borrowing amount.
Assessed type
Other