Closed c4-bot-4 closed 2 months ago
Hi, I would raise this issue as it will lead to unintended/unauthorized transactions.
Intended design.
The borrower can mitigate this by disabling the global forSale
flag or the position-specific forSale
flag at the time of purchase using a multicall.
Lines of code
https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/SellCreditLimit.sol#L45 https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/BuyCreditMarket.sol#L83-L88 https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/LiquidateWithReplacement.sol#L71-L74
Vulnerability details
Impact
To put it in a nutshell, this issue will lead to unintended/unauthorized transactions on the credit positions someone may have just acquired. Let me give some examples:
Scenario #1:
sellCreditLimit
with her desired terms of borrow offer.sellCreditLimit
with her desired terms.Proof of Concept
Insert the test function below into the
test/local/actions/BuyCreditMarket.t.sol
and run it, it is the POC of the Scenario #1 I described above.The test passed, which means indeed Bob's newly acquired credit positions can be immediately taken away by someone else, albeit Bob may not want to sell this one at all.
Tools Used
Manual review.
Recommended Mitigation Steps
There could be several possible mitigations.
The most straight forward one would be, instead of linking the borrow offer terms with only someone's account, change it to be linked to someone's account + credit position, so that some terms which were meant for an old position shall not impact future new positions.
One more thing worth to note, DO NOT link the terms with only credit positions but ignored the account, because that can lead to another critical bug. For example, when James acquired the entire credit position from Bob, it won't create a new position, instead, it will just change the old position's lender from Bob to James. So, if the borrow terms is linked to credit position only, then James could again immediately lose his position to another arbitrary lender although James has no intentions to sell it.
Another mitigation could be that, when a new credit position is created, do not put
forSale: true
by default as it is currently in the code. MakeforSale: false
can help prevent the unintended transactions happening. However, this requires many other pieces of logic to change accordingly, so it's not the most straight forward mitigation.Assessed type
Invalid Validation