M-08: DailyLendIncreaseLimitLeft and dailyDebtIncreaseLimitLeft are not adjusted accurately
Comments
V3Vault utilizes a daily limit check for lending and debt operations. These daily limit checks limit how much assets are utilized in debt/lend operations. The expected specs for using a daily limit check is as follows:
Reset the daily limit if necessary.
Increase/decrease the daily limit.
Unfortunately, the _repay and _withdraw functions do not implement this spec correctly. Both the _repay and _withdraw functions do not reset the daily limits at the beginning of their operations. If either function is called before the deposit function is called (which correctly implements the daily limit spec), the deposit function will reset the daily limit and null and void the increase in the daily limit from any previously made _repay or _withdraw function calls.
Mitigation
PR #11
The implemented fix correctly calls both _resetDailyLendIncreaseLimit() for the _withdraw function and _resetDailyDebtIncreaseLimit() for the _repay function at the beginning of either function call. This ensures that the increases in either the debt or lend daily limits will apply going forward if any other operation is called within the next 24 hour period.
Lines of code
Vulnerability details
C4 issue
M-08: DailyLendIncreaseLimitLeft and dailyDebtIncreaseLimitLeft are not adjusted accurately
Comments
V3Vault utilizes a daily limit check for lending and debt operations. These daily limit checks limit how much assets are utilized in debt/lend operations. The expected specs for using a daily limit check is as follows:
Unfortunately, the _repay and _withdraw functions do not implement this spec correctly. Both the _repay and _withdraw functions do not reset the daily limits at the beginning of their operations. If either function is called before the deposit function is called (which correctly implements the daily limit spec), the deposit function will reset the daily limit and null and void the increase in the daily limit from any previously made _repay or _withdraw function calls.
Mitigation
PR #11
The implemented fix correctly calls both _resetDailyLendIncreaseLimit() for the _withdraw function and _resetDailyDebtIncreaseLimit() for the _repay function at the beginning of either function call. This ensures that the increases in either the debt or lend daily limits will apply going forward if any other operation is called within the next 24 hour period.
Conclusion
LGTM