In V3vault deposit, lend share instead of amount is mistakenly used to check whether the globalLendLimit is exceeded. As time increases, the total max available deposit amount will become more and more.
Impact
As time increases, the total max available deposit amount will become more and more.
Proof of Concept
In white paper:
globalLendLimit: Limits the total lending token amount that can be deposited. It limits new deposits but does not affect existing ones.
and it is used correctly in maxDeposit and maxMint:
because vault is positive rebase token,one share represents more and more amount as time increases.So in fixed globalLendLimit,the total max available deposit amount will become more and more with time increases。
This error breaks the protocol's lend limit, so I consider it is a medium severity finding.
Lines of code
https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/V3Vault.sol#L906-L908
Vulnerability details
In V3vault deposit, lend share instead of amount is mistakenly used to check whether the globalLendLimit is exceeded. As time increases, the total max available deposit amount will become more and more.
Impact
As time increases, the total max available deposit amount will become more and more.
Proof of Concept
In white paper:
globalLendLimit: Limits the total lending token amount that can be deposited. It limits new deposits but does not affect existing ones.
and it is used correctly in
maxDeposit
andmaxMint
:but it used incorrectly in function
_deposit
:https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/V3Oracle.sol#L106-L117
because vault is positive rebase token,one share represents more and more amount as time increases.So in fixed globalLendLimit,the total max available deposit amount will become more and more with time increases。
This error breaks the protocol's lend limit, so I consider it is a medium severity finding.
Tool Used
vscode、foundary
Recommended mitigation steps
Use this in check:
Assessed type
Error