User could try to create correct amount of credit (above minimumCreditBorrowAToken) but fail to do so because under some circumstances minimumCreditBorrowAToken will be compared to the incoming cash (instead of the end credit value).
Proof of Concept
minimumCreditBorrowAToken is used to ensure "the minimum credit value of loans" as it is stated in a code comment here.
We call it with exactAmountIn == true and params.creditPositionId == RESERVED_ID. params.amount in this case will represent the amount of cash that will be is sent to the borrower minus the fees. The credit amount of the loan is going to be params.amount * PERCENT + ratePerTenor / PERCENT.
This means that under these circumstances params.amount could be below minimumCreditBorrowAToken but the credit amount of the loan could be above this threshold when we add the interest so the transaction should not revert.
minimumCreditBorrowAToken is used to ensure that the credit of the loans are going to be more than this value but this requirement should not be present for the cash that is coming in.
Tools Used
Manual Review
Recommended Mitigation Steps
Ensure that a revert occurs only when params.amount is representing credit that is below minimumCreditBorrowAToken or when the end loan credit amount is below this threshold too.
Lines of code
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/BuyCreditMarket.sol#L91 https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/SellCreditMarket.sol#L93
Vulnerability details
Impact
User could try to create correct amount of credit (above
minimumCreditBorrowAToken
) but fail to do so because under some circumstancesminimumCreditBorrowAToken
will be compared to the incoming cash (instead of the end credit value).Proof of Concept
minimumCreditBorrowAToken
is used to ensure "the minimum credit value of loans" as it is stated in a code commenthere
.Let's use
buyCreditMarket
for the example.We call it with exactAmountIn == true and params.creditPositionId == RESERVED_ID.
params.amount
in this case will represent the amount of cash that will be is sent to the borrower minus the fees. The credit amount of the loan is going to beparams.amount * PERCENT + ratePerTenor / PERCENT
.This means that under these circumstances
params.amount
could be belowminimumCreditBorrowAToken
but the credit amount of the loan could be above this threshold when we add the interest so the transaction should not revert.minimumCreditBorrowAToken
is used to ensure that the credit of the loans are going to be more than this value but this requirement should not be present for the cash that is coming in.Tools Used
Manual Review
Recommended Mitigation Steps
Ensure that a revert occurs only when
params.amount
is representing credit that is belowminimumCreditBorrowAToken
or when the end loan credit amount is below this threshold too.Assessed type
Invalid Validation