StrategyLeverage.harvest doesn't account flashloan fee

[c4-bot-3]

Lines of code

https://github.com/code-423n4/2024-05-bakerfi/blob/main/contracts/core/strategies/StrategyLeverage.sol#L397-L399

Vulnerability details

Proof of Concept

StrategyLeverage.harvest function checks position state. In case if position LTV is bigger than max LTV, then extra debt is repaid to decrease LTV back to normal.

In order to repay part of debt, flashloan is taken and contract should pay fee for it. So overall after adjusting our debt is decreased with deltaDebt but our collateral is decreased with deltaDebt + fee.

The problem is that this is not reflected in the newDeployedAmount calculation as it thinks that both collateral and debt where decreased by deltaDebt.

As result of this newDeployedAmount is bigger than it is in reality(in reality it is newDeployedAmount - fee), which means that later when some profit accrued, protocol may not receive it. For example if profit is < fee, then protocol won't receive it and if profit is > fee, then protocol will receive management fee based on profit - fee amount.

Impact

Protocol may receive smaller amount of fees.

Tools Used

VsCode

Recommended Mitigation Steps

Make _adjustDebt returns fee as well and use it to decrease collateral.

Assessed type

Error

[c4-judge]

0xleastwood marked the issue as primary issue

[c4-judge]

0xleastwood marked the issue as selected for report

[ickas]

Fixed → https://github.com/baker-fi/bakerfi-contracts/pull/48