Open hats-bug-reporter[bot] opened 7 months ago
This was intentional, because there may be left over debtToken
from a previous rebalance up.
Within a given rebalance up, if the surplus is less than params.repaySurplusThreshold
, then it won't do that extra repay.
This means that small surplus amount will be left in the contract until the next rebalance up. It needs to be picked up using balanceOf the next time around.
There is no impact that I can see here from a donation in this form, and no economic gain, flashloan/sandwich isn't possible either since this rebalance call uses flashbots protect and the timing of when it's run is randomised
In fact, we explicitly check the resulting A/L is within a min/max too.
Given that, and that this is expected behaviour for carrying over amounts, this issue can be marked invalid
Github username: -- Twitter username: -- Submission hash (on-chain): 0xff8e612a5b10d054ad8ea091e13bdf1988fe0fbde1eb60a79f2826a646a99f1e Severity: low
Description: Description\ There may be some
donated debt tokens
in theOrigamiLovTokenFlashAndBorrowManager
. During therebalance up
process, we convertreserve tokens
todebt tokens
. If there are remainingdebt tokens
after paying off theflash loan
, we use these tokens to repay thedebt
. However, in some cases, we can also use the donateddebt tokens
.Attack Scenario\ There is a functionality to reclaim
donated tokens
, implying that there may occasionally bedonated debt tokens
available.During the
rebalance up
process, we first convertreserve tokens
intodebt tokens
to pay off theflash loan
. As indicated in the comment, if there are any extradebt tokens
resulting from theswap
, we use these tokens to repay the remainingdebt
.However,
_debtToken.balanceOf(address(this))
also includes the donateddebt tokens
.Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
The following fix is correct because it ensures that
debtTokenReceived
is greater thanflashRepayAmount
.