Closed c4-bot-8 closed 3 months ago
0xEVom marked the issue as sufficient quality report
0xEVom marked the issue as primary issue
Also see proposed mitigations under #212 and #116
kalinbas (sponsor) disputed
I can not see how this is possible. The shares at the beginning are proportional to to assets deposited.. So if the asset is USDC and 1000000000 are deposited, 1000000000 shares are minted. The exchange rate at the beginning is 1 (2**96)
exchange rates can not be manipulated, they are stored in the contract and are only changed when there is interest added
I have reviewed all the duplicates, and no one has really provided a path for an inflation attack. Direct donations cannot manipulate newLendExchangeRateX96 unless there is a way to manipulate the interest. I have not seen such an attack vector. if there is one, please, warden, supplement it.
jhsagd76 marked the issue as unsatisfactory: Insufficient proof
jhsagd76 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/V3Vault.sol#L877
Vulnerability details
Summary
The contract does not have an explicit check or enforcement for a minimum total supply threshold. If the
globalLendLimit
anddailyLendIncreaseLimitMin
are set to low values, an attacker can potentially exploit the contract when the total supply is low enough, leading to a "donation attack".Proof of Concept
Scenario
globalLendLimit
anddailyLendIncreaseLimitMin
.Impact
Subsequent user deposits can be effectively stolen or significantly diminished due to the inflated exchange rates caused.
Tools Used
Manual
Recommended Mitigation Steps
Introduce an explicit minimum total supply threshold in the contract. This threshold should be set to a reasonable value based on the expected usage and risk profile of the lending protocol.
Add a new constant for the minimum total supply threshold:
Modify the
_deposit
function to check the minimum total supply threshold before minting new shares:Modify the
_withdraw
function to check the minimum total supply threshold before burning shares:Add a new error event for the
TotalSupplyBelowMinimum
case:Assessed type
ERC4626