However, this commit #161 Gas Optimizations reverts this change back to the original code, the comparison part still compare totalSupply() + shares against globalLendLimit:
if (totalSupply() + shares > globalLendLimit) {
revert GlobalLendLimit();
}
if (assets > dailyLendIncreaseLimitLeft) {
revert DailyLendIncreaseLimit();
}
Recommended mitigation
Bring back the change to convert totalSupply to asset before comparison:
Lines of code
https://github.com/revert-finance/lend/blob/audit/src/V3Vault.sol#L961-L963
Vulnerability details
C4 issue
M-12: Wrong global lending limit check in _deposit function
Comment
The original code wrongly uses
totalSupply()
to check againstglobalLendLimit
, this needs to be converted to assets first:Proof of Concept
PR #16 converts the asset before comparison:
However, this commit #161 Gas Optimizations reverts this change back to the original code, the comparison part still compare
totalSupply() + shares
againstglobalLendLimit
:Recommended mitigation
Bring back the change to convert totalSupply to asset before comparison:
Assessed type
Other