search

code-423n4 / 2024-05-gondi-mitigation-findings

0 stars 0 forks source link

H-16 MitigationConfirmed #94

Open c4-bot-4 opened 3 months ago

c4-bot-4 commented 3 months ago

Lines of code

Vulnerability details

C4 Issue

H-16: validateOffer() reentry to manipulate exchangeRate

Comments

Original vulnerabilities: _validateOfferExecution() will be called during loan initiation (emitLoan) for each offerExecution.

For each validateOfferExecution() call, there could be multiple external callbacks. In the first call back (validateOfferExecution() → ILoanManager(lender).validateOffer()), the outstanding values in the pool are modified but tokens are not transferred until after _validateOfferExecution() call.

Original impacts: This allows later callbacks in _validateOfferExecution() to take advantage of the discrepancy in totalAssets() before/after the token transfer.

Mitigation

Fix: https://github.com/pixeldaogg/florida-contracts/pull/381/files

//src/interfaces/validators/IOfferValidator.sol
interface IOfferValidator {
    /// @notice Validate a loan offer.
    function validateOffer(IMultiSourceLoan.LoanOffer calldata _offer, uint256 _tokenId, bytes calldata _validatorData)
        external view;
}
...

The original attack is carried out in _checkValidators() → IOfferValidator(thisValidator.validator).validateOffer(). The mitigation is to disable IOfferValidator(thisValidator.validator).validateOffer() to trigger any state changes by restricting the interface validateOffer() view only.

This restricts runtime calls to be view only, eliminating the attack vector and resolve the issue.

Conclusion

LGTM

c4-judge commented 3 months ago

alex-ppg marked the issue as satisfactory

c4-judge commented 3 months ago

alex-ppg marked the issue as confirmed for report