search

code-423n4 / 2024-06-size-findings

3 stars 1 forks source link

Users can deposit USDC above the AToken cap #399

Closed howlbot-integration[bot] closed 4 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/Multicall.sol#L40-L42

Vulnerability details

Impact

When using multicall, the AToken cap is not checked, only the increase of AToken is checked against the decrease of debt. A user can exploit this to deposit USDC above the AToken cap.

Proof of Concept

By doing these steps in one transaction, a user can deposit USDC above the AToken cap:

  1. Already have X AToken and a small amount AToken for swapping fee
  2. Flashloan ETH and deposit ETH
  3. Sell X credit to himself
  4. Make a multicall: 3a. Deposit X USDC 3b. Repay the debt in step 2 (AToken in step 0 should cover the swapping fee)
  5. Withdraw ETH and pay back the flashloan

Because the increase of AToken in step 3a is equals to the decrease of debt in step 3b, the check at the end of the multicall is passed. The user can repeat the steps above to deposit more AToken.

Tools Used

Manual Review.

Recommended Mitigation Steps

Add a check to cap the debtToken at the end of buyCreditMarket and sellCreditMarket.

Assessed type

Other

c4-judge commented 3 months ago

hansfriese marked the issue as duplicate of #144

c4-judge commented 3 months ago

hansfriese marked the issue as satisfactory

c4-judge commented 3 months ago

hansfriese marked the issue as duplicate of #238