search

code-423n4 / 2024-06-size-findings

0 stars 0 forks source link

Improper Validation in the `BuyCreditMarket::validateBuyCreditMarket` Function Causes Incorrect Reverts When `params.exactAmountIn` is True resulting in an invariant break #119

Closed c4-bot-4 closed 2 months ago

c4-bot-4 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/BuyCreditMarket.sol#L91 https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/SellCreditMarket.sol#L93

Vulnerability details

Impact

The BuyCreditMarket::validateBuyCreditMarket function validates the params. amount to be more than the minimumCreditBorrowAToken (which according to the deploy script, it's 50 usdc or 5 usdc). Still, the function doesn't check that the amount is cash or credit. in most cases, the cash is less than the credit and if any user wants to buy credit and sets the params.exactAmountIn to true then the function should not check the amount with the minimum credit cause the amount is cash, not credit and it will revert which should not. The function could revert incorrectly, preventing users from executing valid transactions and could disrupt normal functionality. As a result, an invariant of the system breaks: REVERTS: Actions behave as expected under dependency reverts

@note Similarly, the SellCreditMarket::validateSellCreditMarket reverts under the same conditions

Proof of Concept

put this test into the BuyCreditMarket.t.sol:

    function test_BuyCreditMarket_buyCreditMarket_exactAmountIn_minimumCredit() public {
        _deposit(alice, weth, 100e18);
        _deposit(alice, usdc, 100e6);
        _deposit(bob, weth, 100e18);
        _deposit(bob, usdc, 100e6);
        _sellCreditLimit(alice, 0.1e18, 365 days);

        uint256 amountIn = 46e6;
        uint256 tenor = 365 days;

        _updateConfig("minimumCreditBorrowAToken", 50e6);
        assertEq(size.riskConfig().minimumCreditBorrowAToken, 50e6);
        vm.expectRevert(
            abi.encodeWithSelector(Errors.CREDIT_LOWER_THAN_MINIMUM_CREDIT.selector, amountIn, size.riskConfig().minimumCreditBorrowAToken)
        );
        size.buyCreditMarket(
            BuyCreditMarketParams({
                borrower: alice,
                creditPositionId: RESERVED_ID,
                tenor: 365 days,
                amount: amountIn,
                deadline: block.timestamp,
                minAPR: 0,
                exactAmountIn: true
            })
        );
    }

Tools Used

manual review

Recommended Mitigation Steps

make sure that the amount is the credit and if it's cash, consider the correct situation

Assessed type

Invalid Validation

C4-Staff commented 2 months ago

CloudEllie marked the issue as duplicate of #224

c4-judge commented 2 months ago

hansfriese marked the issue as satisfactory