search

code-423n4 / 2024-06-size-validation

1 stars 0 forks source link

`executeBuyCreditMarket()` returns incorrect value for liquidity availability control #730

Open c4-bot-1 opened 4 months ago

c4-bot-1 commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-06-size/blob/8850e25fb088898e9cf86f9be1c401ad155bea86/src/libraries/actions/BuyCreditMarket.sol#L121-L124

Vulnerability details

Impact

BuyCreditMarket operation will revert in the cases when the cashAmountIn - fees amount due to a borrower is available in the underlying pool, while cashAmountIn returned is not.

Proof of Concept

executeBuyCreditMarket() to return amountIn - fees similarly to other liqudity validation functions (SellCreditMarket and LiquidateWithReplacement):

Size.sol#L178-L185

    function buyCreditMarket(BuyCreditMarketParams calldata params) external payable override(ISize) whenNotPaused {
        state.validateBuyCreditMarket(params);
>>      uint256 amount = state.executeBuyCreditMarket(params);
        if (params.creditPositionId == RESERVED_ID) {
            state.validateUserIsNotBelowOpeningLimitBorrowCR(params.borrower);
        }
>>      state.validateVariablePoolHasEnoughLiquidity(amount);
    }

Now it will revert in the cases when the cashAmountIn - fees due to a borrower is available, while cashAmountIn is not:

BuyCreditMarket.sol#L121-L124

    function executeBuyCreditMarket(State storage state, BuyCreditMarketParams memory params)
        external
>>      returns (uint256 cashAmountIn)
    {

BuyCreditMarket.sol#L195-L197

>>      state.data.borrowAToken.transferFrom(msg.sender, borrower, cashAmountIn - fees);
        state.data.borrowAToken.transferFrom(msg.sender, state.feeConfig.feeRecipient, fees);
    }

Tools Used

Manual Review

Recommended Mitigation Steps

Consider returning cashAmountIn - fees from executeBuyCreditMarket().

Assessed type

Other