Open c4-bot-8 opened 6 months ago
0xEVom marked the issue as sufficient quality report
0xEVom marked the issue as primary issue
0xEVom marked the issue as insufficient quality report
V3Vault.transform()
explicitly prevents the token from changing ownership and correctly provides functionality to transform a loan (and LeverageTransformer.leverageDown()
to leverage down), not to repay it. Users should use V3Vault.repay()
to repay in full.
QA
jhsagd76 changed the severity to QA (Quality Assurance)
L-B
Lines of code
https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/transformers/LeverageTransformer.sol#L123-L175
Vulnerability details
Impact
Users can use the
LeverageTransformer::leverageDown
function to leverage down their positions directly in 1 TX. This can be done by callingV3Vault::transform
, while passing the needed parameters, this function checks if the NFT is still owned by the vault at the end of the transform process, if not it reverts, by the following condition:However, in case of full repayment, the NFT will be transferred to the original owner, which is the expected behavior but the whole TX reverts because of the above. Blocking users form using that transform functionality.
Proof of Concept
For the sake of simplicity, instead of borrowing a loan and fully repaying it, the test attached will show the leverage-down mechanism on a position whose pair is different from the vault's asset (but both tokens are accepted as collateral, i.e. collateral factor > 0). This has the outcome of full repayment, as the debt is 0.
Add support for USDT:
Test:
Tools Used
Manual review
Recommended Mitigation Steps
Refactor
V3Vault::transform
to handle this specific case.Assessed type
DoS