search

code-423n4 / 2024-07-benddao-findings

3 stars 3 forks source link

`isolateRedeem()` revert in case Revert-on-zero-value-transfers tokens #30

Open c4-bot-6 opened 1 month ago

c4-bot-6 commented 1 month ago

Lines of code

https://github.com/code-423n4/2024-07-benddao/blob/main/src/libraries/logic/IsolateLogic.sol#L346-L354

Vulnerability details

Description

One of the features of this protocol is that the borrower can redeem his loan (under the Isolate Lending) after his loan goes into auction state (Before the end of the auction) by simply invoking IsolateLiquidation.sol#isolateRedeem(), However in order to keep the liquidators incentivized to lunch the auction for any bad debt, the borrower could get forced to pay them some fee (called bidFine)

The bidFine is defined by two factors bidFineFactor and minBidFineFactor, both of them are updatable from Configurator.sol#setAssetAuctionParams(), So, in case admin set them to zero

When the borrower tries to redeem his loan this logic from IsolateLogic.sol#executeIsolateRedeem()

File: IsolateLogic.sol#executeIsolateRedeem()

328:       (, vars.bidFines[vars.nidx]) = GenericLogic.calculateNftLoanBidFine(
329:         debtAssetData,
330:         debtGroupData,
331:         nftAssetData,
332:         loanData,
333:         vars.priceOracle
334:       );

will set the value of vars.bidFines[vars.nidx] to zero

After that, the flow will enter this IF block to transfer the bidFine to the liquidator who launched the auction.

File: IsolateLogic.sol#executeIsolateRedeem()

346:       if (loanData.firstBidder != address(0)) {
347:         // transfer bid fine from borrower to the first bidder
348:         VaultLogic.erc20TransferBetweenWallets(
349:           params.asset,
350:           params.msgSender,
351:           loanData.firstBidder,
352:           vars.bidFines[vars.nidx]
353:         );
354:       }

but in case params.asset is one of Revert-on-Zero-Value-Transfers tokens (are in scope) the transaction will revert because it is trying to transfer zero value vars.bidFines[vars.nidx] == 0

Impact

The borrower will never be able to redeem his loan after his loan goes into auction state

Proof of Concept

Tools Used

Recommended Mitigation Steps

File: IsolateLogic.sol#executeIsolateRedeem()

- 346:       if (loanData.firstBidder != address(0)) {
+ 346:       if (loanData.firstBidder != address(0) && vars.bidFines[vars.nidx] > 0) {
347:         // transfer bid fine from borrower to the first bidder
348:         VaultLogic.erc20TransferBetweenWallets(
349:           params.asset,
350:           params.msgSender,
351:           loanData.firstBidder,
352:           vars.bidFines[vars.nidx]
353:         );
354:       }

Assessed type

ERC20

MarioPoneder commented 4 weeks ago

ERC20 Revert on zero value transfers in scope according to README.

c4-judge commented 4 weeks ago

MarioPoneder marked the issue as primary issue

c4-judge commented 4 weeks ago

MarioPoneder marked the issue as satisfactory

c4-judge commented 4 weeks ago

MarioPoneder marked the issue as selected for report

thorseldon commented 4 weeks ago

Fixed at https://github.com/BendDAO/bend-v2/commit/b991f603e786eabee94d16926c4198a11b3276d6.