Closed c4-bot-1 closed 4 months ago
alcueca marked the issue as duplicate of #4
alcueca marked the issue as selected for report
piske-alex (sponsor) confirmed
Hi @alcueca ,
This issue #28 describes a bug in borrow
function which is used on borrowing.
However, issue #13 and issue #26 describe a bug in borrow_collateral
which is used when repaying the debt.
Therefore, both issues #13 and #26 are not a duplicate of #28 as they both have different root cause and mitigation.
CC: @c4-sponsor
You are right, @koolexcrypto.
@piske-alex, would you please review #26, which was incorrectly tagged as a duplicate of this one?
alcueca marked the issue as satisfactory
alcueca marked issue #16 as primary and marked this issue as a duplicate of 16
Lines of code
https://github.com/code-423n4/2024-04-lavarage/blob/9e8295b542fb71b2ba9b4693e25619585266d19e/libs/smart-contracts/programs/lavarage/src/processor/swap.rs#L41-L50
Vulnerability details
Impact
All trading pools can be drained easily, which will lead to massive losses for lenders
Proof of Concept
The current implementation of the
borrow
function which is located inside of theswap.rs
file has a major flaw within it. Although the function has a verification in place that is used to ensure that there is a proceeding instruction that callsadd_collateral
after it, this verification is implemented in such a way, that it can actually be bypassed.As it can be seen, the verification consists of two equality checks that enforce the
trading_pool
andtrader
public keys that are being passed in to theadd_collateral
function's context to be equal to the ones passed in to the currentborrow
function's context. However, this is not enough, since theposition_account
public key being passed in to both of those functions is actually calculated based on three values - thetrading_pool
,trader
andrandom_account_as_id
. What this essentially means is users can create instructions that call theadd_collateral
function for already created positions, which will actually pass theborrow
function's verification mechanism, effectively allowing them to borrow an infinite amount of SOL from any trading pool without putting any collateral at stake for it (or in other words, allowing them to steal all SOL from any trading pool).The following coded PoC demonstrates the issue at question. To run it, paste it at the bottom of the
lavarage
describe block in thelavarage.spec.ts
test file and then runanchor test
inlibs/smart-contracts
. The tests insidelavarage.spec.ts
are stateful, so the order in which they are executed does matter.Tools Used
Manual review
Recommended Mitigation Steps
Instead of verifying that the
trading_pool
andtrader
values are equal to the ones in theborrow
function's context, verify that theposition_account
value is equal to the one in its context:Assessed type
Invalid Validation