Malicious borrow & loanOffers can be created to intentionally cause a DOS, griefing unsuspecting protocol users who attempt to match with these offers and end up paying transaction costs.
A coordinated attack, with hundreds of offers featuring very favourable conditions, could flood the Order Book could significantly impact the usability of the system as many legitimate users experience DOS.
This means that a malicious "lender" can create a loanOffer with extremely generous rates via BuyCreditLimit(), despite having no borrowATokens deposited in the protocol. Any user who tries to match with the offer via SellCreditMarket() will experience a DOS when the execution reverts in transferFrom() as the lender does not actually have any borrowATokens to transfer to the borrower.
Similarly, a malicious "borrower" can create a borrowOffer via SellCreditLimit() with no collateralTokens backing it. In this case, the revert will occur during the execution of SellCreditMarket(), will occur when validateMinimumCreditOpening() is executed, as the malicious user has no collateralTokens to open a credit position.
function validateMinimumCreditOpening(State storage state, uint256 credit) public view {
if (credit < state.riskConfig.minimumCreditBorrowAToken) {
revert Errors.CREDIT_LOWER_THAN_MINIMUM_CREDIT_OPENING(credit, state.riskConfig.minimumCreditBorrowAToken);
}
}
POC
This test shows how a borrower can create a borrowerOffer with no collateral deposited in the protocol which causes a DOS when a lender tries to match with it.
Add the test to BuyCreditMarket.t.sol:
Only allow lenders to create a loanOffer if they have a minimum amount of borrowATokens and prevent them from withdrawing that amount if they have an open loanOffer.
Similarly, only allow borrowers to create a borrowOffer if they have a minimum amount of collateralTokens and prevent them from withdrawing that amount if they have an open borrowOffer.
Lines of code
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/BuyCreditLimit.sol#L29-L66 https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/SellCreditLimit.sol#L25-L51 https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/SellCreditMarket.sol#L201-L202 https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/SellCreditLimit.sol#L19-L52
Vulnerability details
Impact
Malicious borrow & loanOffers can be created to intentionally cause a DOS, griefing unsuspecting protocol users who attempt to match with these offers and end up paying transaction costs.
A coordinated attack, with hundreds of offers featuring very favourable conditions, could flood the Order Book could significantly impact the usability of the system as many legitimate users experience DOS.
Vulnerability Details
There are no restrictions, in
BuyCreditLimit()
orSellCreditLimit()
, on which users can create loanOffers and borrowOffers.This means that a malicious "lender" can create a loanOffer with extremely generous rates via
BuyCreditLimit()
, despite having noborrowATokens
deposited in the protocol. Any user who tries to match with the offer viaSellCreditMarket()
will experience a DOS when the execution reverts intransferFrom()
as the lender does not actually have anyborrowATokens
to transfer to the borrower.Similarly, a malicious "borrower" can create a borrowOffer via
SellCreditLimit()
with nocollateralTokens
backing it. In this case, the revert will occur during the execution ofSellCreditMarket()
, will occur whenvalidateMinimumCreditOpening()
is executed, as the malicious user has nocollateralTokens
to open a credit position.POC
This test shows how a borrower can create a borrowerOffer with no collateral deposited in the protocol which causes a DOS when a lender tries to match with it. Add the test to
BuyCreditMarket.t.sol
:Tools Used
Manual Review Foundry Testing
Recommendations
Only allow lenders to create a loanOffer if they have a minimum amount of borrowATokens and prevent them from withdrawing that amount if they have an open loanOffer.
Similarly, only allow borrowers to create a borrowOffer if they have a minimum amount of collateralTokens and prevent them from withdrawing that amount if they have an open borrowOffer.
Assessed type
DoS