Protocol checks the current liquidity of the underlying borrow token in aaveV3 pool in buyCreditMarket(), sellCreditMarket() and liquidateWithReplacement(). The check gets the balance of an incorrect address (the variable pool) which does not hold any funds. This causes a revert every time any of these 3 functions are called.
Proof of Concept
Inside variablePool.supply() function inside AaveV3 code (that can be inspected via etherscan here) we can see that the funds are actually transferred immediately to the aTokenAddress:
Lines of code
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/Size.sol#L178 https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/Size.sol#L188 https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/Size.sol#L229
Vulnerability details
Impact
Protocol checks the current liquidity of the underlying borrow token in aaveV3 pool in
buyCreditMarket()
,sellCreditMarket()
andliquidateWithReplacement()
. The check gets the balance of an incorrect address (the variable pool) which does not hold any funds. This causes a revert every time any of these 3 functions are called.Proof of Concept
Inside variablePool.supply() function inside AaveV3 code (that can be inspected via etherscan
here
) we can see that the funds are actually transferred immediately to the aTokenAddress:The check will revert every time since the balance of variable pool is going to be 0.
Link to code:
link
Tools Used
Manual Review
Recommended Mitigation Steps
Use the aToken address to check what is the current liquidity:
Assessed type
Invalid Validation