Closed howlbot-integration[bot] closed 2 months ago
Duplicate of #152
@aviggiano Sponsors can only use these labels: sponsor confirmed, sponsor disputed, sponsor acknowledged.
hansfriese marked the issue as duplicate of #152
hansfriese marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/CapsLibrary.sol#L67-L72
Vulnerability details
Impact
The
validateVariablePoolHasEnoughLiquidity()
function in theCapsLibrary
contract is used bybuyCreditMarket()
,sellCreditMarket()
, andliquidateWithReplacement()
to verify sufficient liquidity in AAVE for cash withdrawal.However, this verification can be bypassed if a user sandwiches it with a deposit() transaction to increase liquidity before the check and a withdraw() transaction to remove the increased liquidity after the check. The
multicall()
function in the Size contract further facilitates this method of bypassing thevalidateVariablePoolHasEnoughLiquidity()
check.Users who know how to bypass the
validateVariablePoolHasEnoughLiquidity()
check would have an unfair advantage over those who do not. For example, during times of low liquidity in AAVE, those aware of the bypass can still perform large amounts of credit buying and selling, while others cannot.Proof of Concept
The above PoC shows that during times of low liquidity in Aave, the same buyCreditMarket transaction can only be successfully called by users who know how to bypass the
validateVariablePoolHasEnoughLiquidity
check.Tools Used
Manual Review, Foundry
Recommended Mitigation Steps
Consider removing the
validateVariablePoolHasEnoughLiquidity()
checks, as they can be easily bypassed by the users and potentially create unfairness amount the users.Assessed type
Invalid Validation