Open c4-bot-10 opened 4 months ago
piske-alex (sponsor) confirmed
alcueca marked the issue as satisfactory
alcueca marked the issue as selected for report
Similar to #30, this seems QA to me. The attacker has zero incentives in doing this and the protocol is not at risk. They are donating money to get nothing in return, which is a self-rekt. total_funds
isn't used anywhere, and there isn't a leak of funds.
To not repeat the same comment again. Please check this https://github.com/code-423n4/2024-04-lavarage-findings/issues/30#issuecomment-2091198036
Thank you
I agree with @DadeKuma. While it might be annoying to not be able to trust total_funds
, the protocol will function normally. No funds will be lost, and the team will have to find a different way to display the correct data in the frontend. That's about it.
alcueca changed the severity to QA (Quality Assurance)
alcueca marked the issue as not selected for report
alcueca marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2024-04-lavarage/blob/main/libs/smart-contracts/programs/lavarage/src/processor/lending.rs#L87
Vulnerability details
Impact
A malicious actor can send SOL directly to a node_wallet (lender's funding account). When the lender withdraws all available SOL amount,
ctx.accounts.node_wallet.total_funds
will underflow and becomes a big number. This is becausectx.accounts.node_wallet.total_funds
is updated based on user input while not considering external direct transfer.lending.rs#L87
As a result, the accounting in the protocol for the node and relevant trading pool is messed up as
total_funds
is a core invariant in the protocol.Another way of manipulating total_funds:
if the borrower set the
fee_receipient
to the node account, thectx.accounts.node_wallet.total_funds
will have an incorrect value, because it deducts theinterest_share
fromrepay_amount
even iffee_receipient
was the node account.swapback.rs#L196
Proof of Concept
Included within the impact description above for easiness
Tools Used
Manual analysis
Recommended Mitigation Steps
Always update
ctx.accounts.node_wallet.total_funds
based on the actual balance (lamports) of node_wallet. This way, we get consistency naturally by design.Assessed type
Under/Overflow