search

code-423n4 / 2024-04-revert-mitigation-findings

1 stars 1 forks source link

M-12 Unmitigated #89

Open c4-bot-3 opened 2 months ago

c4-bot-3 commented 2 months ago

Lines of code

https://github.com/revert-finance/lend/blob/audit/src/V3Vault.sol?plain=1#L961-L963

Vulnerability details

C4 issue

M-12: Wrong global lending limit check in _deposit function

Comments

Revert utilizes a global lend limit to ensure that lenders do not exceed a global lend limit. Unfortunately, the global lend limit is denominated in assets. The value it compares itself to is totalSupply(), which is denominated in shares. This comparison is invalid since both values are in different denominations.

Lines of code

https://github.com/revert-finance/lend/blob/audit/src/V3Vault.sol?plain=1#L961-L963

Vulnerability details

The _deposit() function incorrectly utilizes the wrong denomination when comparing the globalLendLimit to the number of shares. The globalLendLimit denomination is set in assets. However, totalSupply() + shares denomination is set in shares. This makes this comparison check incorrect and can lead to more assets being lent than anticipated.

Impact

More assets may be deposited than expected.

Proof of Concept

Reviewing the function below:

if (totalSupply() + shares > globalLendLimit) {
    revert GlobalLendLimit();
}

Since totalSupply() + shares are denominated as shares and globalLendLimit as assets, the comparison is incorrect.

Tools Used

Manual review

Recommended Mitigation Steps

Convert the totalSupply() + shares to the correct denomination in assets:

uint256 totalSharesDenominatedInAssets = _convertToAssets(totalSupply() + shares, newLendExchangeRateX96, Math.Rounding.Up);
if (totalSharesDenominatedInAssets > globalLendLimit) {
      revert GlobalLendLimit();
}

Assessed type

Math

Assessed type

Math

c4-judge commented 2 months ago

jhsagd76 marked the issue as satisfactory

c4-judge commented 2 months ago

jhsagd76 marked the issue as confirmed for report