Lines of code

https://github.com/revert-finance/lend/blob/audit/src/V3Vault.sol#L961-L963

Vulnerability details

C4 issue

M-12: Wrong global lending limit check in _deposit function

Comment

The original code wrongly uses totalSupply() to check against globalLendLimit, this needs to be converted to assets first:

function _deposit(
    address receiver,
    uint256 amount,
    bool isShare,
    bytes memory permitData
) internal returns (uint256 assets, uint256 shares) {
    ...

    _mint(receiver, shares);

    //@audit must convert totalSupply() to assets before comparing with globalLendLimit
    if (totalSupply() > globalLendLimit) {
        revert GlobalLendLimit();
    }

    if (assets > dailyLendIncreaseLimitLeft) {
        revert DailyLendIncreaseLimit();
    } else {
        dailyLendIncreaseLimitLeft -= assets;
    }
    ...
}

Proof of Concept

PR #16 converts the asset before comparison:

        uint256 totalSupplyValue = _convertToAssets(totalSupply(), newLendExchangeRateX96, Math.Rounding.Up);
        if (totalSupplyValue > globalLendLimit) {
            revert GlobalLendLimit();
        }

However, this commit #161 Gas Optimizations reverts this change back to the original code, the comparison part still compare totalSupply() + shares against globalLendLimit:

if (totalSupply() + shares > globalLendLimit) {
            revert GlobalLendLimit();
        }
        if (assets > dailyLendIncreaseLimitLeft) {
            revert DailyLendIncreaseLimit();
        }

Recommended mitigation

Bring back the change to convert totalSupply to asset before comparison:

uint256 totalSupplyValue = _convertToAssets(totalSupply(), newLendExchangeRateX96, Math.Rounding.Up);
        if (totalSupplyValue > globalLendLimit) {
            revert GlobalLendLimit();
        }

Assessed type

Other

code-423n4 / 2024-04-revert-mitigation-findings

M-12 Unmitigated #17