c4-bot-8 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-05-bakerfi/blob/59b1f70cbf170871f9604e73e7fe70b70981ab43/contracts/core/strategies/StrategyLeverage.sol#L565

Vulnerability details

Impact

WETH cannot be used, resulting in a loss of funds

Proof of Concept

The _payDebt function may produce extra weth, these weth are provided to AAVE through _supply for use as collateral.

 function _payDebt(uint256 debtAmount, uint256 fee) internal {
        .....
        uint256 wethLefts = output > (debtAmount + fee) ? output - (debtAmount + fee) : 0;
        if (wethLefts > 0) {
            _supply(wETHA(), wethLefts);
        }
        emit StrategyUndeploy(msg.sender, debtAmount);
    }

The problem is StrategyAAVEv3 doesn't use WETH as collateral.

    //_supplyAndBorrow(ierc20A(), collateralIn, wETHA(), loanAmount + fee);
    function _supplyAndBorrow(address assetIn,uint256 amountIn,address assetOut,uint256 borrowOut
    ) internal override virtual{
        _supply(assetIn, amountIn);
        //@audit assetIn is always ierc20A
        aaveV3().setUserUseReserveAsCollateral(assetIn, true);
        aaveV3().borrow(assetOut, borrowOut, 2, 0, address(this));
    }

So wethLefts cannot be used.

_getMMPosition Obtaining collateralBalance also does not contain wETH

    function _getMMPosition() internal virtual override view returns ( uint256 collateralBalance, uint256 debtBalance ) {
        DataTypes.ReserveData memory wethReserve = (aaveV3().getReserveData(wETHA()));
        DataTypes.ReserveData memory colleteralReserve = (aaveV3().getReserveData(ierc20A()));
        debtBalance = IERC20(wethReserve.variableDebtTokenAddress).balanceOf(address(this));
@>      collateralBalance = IERC20(colleteralReserve.aTokenAddress).balanceOf(address(this));
    }

Tools Used

vscode, manual

Recommended Mitigation Steps

Convert WETH to ierc20A and then call _supply

Assessed type

Other

c4-judge commented 5 months ago

0xleastwood marked the issue as duplicate of #41