search

code-423n4 / 2024-04-revert-mitigation-findings

1 stars 1 forks source link

M-06 MitigationConfirmed #12

Open c4-bot-2 opened 4 months ago

c4-bot-2 commented 4 months ago

Lines of code

Vulnerability details

C4 issue

M-06: Users can lend and borrow above allowed limitations

Comment

The original code for daily lend/borrow limit increase is wrong:

uint256 lendIncreaseLimit = _convertToAssets(totalSupply(), newLendExchangeRateX96, Math.Rounding.Up)
                * (Q32 + MAX_DAILY_LEND_INCREASE_X32) / Q32;

 uint256 debtIncreaseLimit = _convertToAssets(totalSupply(), newLendExchangeRateX96, Math.Rounding.Up)
                * (Q32 + MAX_DAILY_DEBT_INCREASE_X32) / Q32;

MAX_DAILY_LEND_INCREASE_X32 and MAX_DAILY_DEBT_INCREASE_X32 is set to 10%, but the formulas calculate lendIncreaseLimit and debtIncreaseLimit as (Q32 + 0.1*Q32)/Q32 = 110%.

Mitigation

PR #22 The mitigation code updates the formulas to correctly reflect daily lend/debt limit increase:

uint256 lendIncreaseLimit = _convertToAssets(totalSupply(), newLendExchangeRateX96, Math.Rounding.Up)
                * MAX_DAILY_LEND_INCREASE_X32 / Q32;
uint256 debtIncreaseLimit = _convertToAssets(totalSupply(), newLendExchangeRateX96, Math.Rounding.Up)
                * MAX_DAILY_DEBT_INCREASE_X32 / Q32;

The mitigation resolved the original issue.

Conclusion

LGTM

c4-judge commented 4 months ago

jhsagd76 marked the issue as satisfactory