code-423n4 / 2024-05-bakerfi-findings

4 stars 4 forks source link

StrategyLeverage.harvest doesn't account flashloan fee #36

Open c4-bot-3 opened 5 months ago

c4-bot-3 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-05-bakerfi/blob/main/contracts/core/strategies/StrategyLeverage.sol#L397-L399

Vulnerability details

Proof of Concept

StrategyLeverage.harvest function checks position state. In case if position LTV is bigger than max LTV, then extra debt is repaid to decrease LTV back to normal.

In order to repay part of debt, flashloan is taken and contract should pay fee for it. So overall after adjusting our debt is decreased with deltaDebt but our collateral is decreased with deltaDebt + fee.

The problem is that this is not reflected in the newDeployedAmount calculation as it thinks that both collateral and debt where decreased by deltaDebt.

As result of this newDeployedAmount is bigger than it is in reality(in reality it is newDeployedAmount - fee), which means that later when some profit accrued, protocol may not receive it. For example if profit is < fee, then protocol won't receive it and if profit is > fee, then protocol will receive management fee based on profit - fee amount.

Impact

Protocol may receive smaller amount of fees.

Tools Used

VsCode

Recommended Mitigation Steps

Make _adjustDebt returns fee as well and use it to decrease collateral.

Assessed type

Error

c4-judge commented 5 months ago

0xleastwood marked the issue as primary issue

c4-judge commented 5 months ago

0xleastwood marked the issue as selected for report

ickas commented 5 months ago

Fixed → https://github.com/baker-fi/bakerfi-contracts/pull/48