search

code-423n4 / 2024-04-revert-mitigation-findings

1 stars 1 forks source link

M-06 MitigationConfirmed #83

Open c4-bot-10 opened 5 months ago

c4-bot-10 commented 5 months ago

Lines of code

Vulnerability details

C4 issue

M-06: Users can lend and borrow above allowed limitations

Comments

The original lend and debt limit update implementation utilized an incorrect formula:

MAX_INCREASE_X32 = Q32 / 10
total_supply * (MAX_INCREASE_X32 + Q32) / Q32
total_supply * 110% / 100%

This formula resulted in the lend/debt limits increasing by 110% and not 10%. This is because the formula added Q32 to the numerator in the percentage formula.

Mitigation

PR #22

By updating the numerator to just the max increase Q32 lend/debt increase constants, the formula correctly calculates the lend/debt limits to 10% of the total supply instead of 110%.

MAX_INCREASE_X32 = Q32 / 10
// AUDIT: see the fix below where now we no longer have Q32 to being added to the numerator
total_supply * (MAX_INCREASE_X32) / Q32
total_supply * 10% / 100%

This formula now correctly returns 10% of the total supply. This is the correct value as per Revert's whitepaper.

Conclusion

LGTM

c4-judge commented 5 months ago

jhsagd76 marked the issue as satisfactory

c4-judge commented 5 months ago

jhsagd76 marked the issue as confirmed for report