search

sherlock-audit / 2022-09-notional-judging

4 stars 2 forks source link

8olidity - MaxBorrowMarketIndex does not limit borrowAndEnterVault() DOS #36

Closed rcstanciu closed 1 year ago

rcstanciu commented 1 year ago

8olidity

medium

MaxBorrowMarketIndex does not limit borrowAndEnterVault() DOS

Summary

MaxBorrowMarketIndex does not limit borrowAndEnterVault() DOS

Vulnerability Detail

poc

  1. UpdateVault () updates the vaultConfig file

  2. Set maxBorrowMarketIndex to a small value

  3. When a user calls borrowAndEnterVault() it will run to checkValidMaturity()

  4. Require (marketIndex <= maxBorrowMarketIndex, "Invalid Maturity"); The judgment may fail, causing the function to fail

    Impact

    MaxBorrowMarketIndex does not limit borrowAndEnterVault() DOS

    Code Snippet

    https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/external/actions/VaultAction.sol#L27

// contracts-v2/contracts/external/actions/VaultAction.sol
function updateVault(
    address vaultAddress,
    VaultConfigStorage calldata vaultConfig,
    uint80 maxPrimaryBorrowCapacity
) external override onlyOwner {
    VaultConfiguration.setVaultConfig(vaultAddress, vaultConfig);
    VaultConfiguration.setMaxBorrowCapacity(vaultAddress, vaultConfig.borrowCurrencyId, maxPrimaryBorrowCapacity);
    bool enabled = (vaultConfig.flags & VaultConfiguration.ENABLED) == VaultConfiguration.ENABLED;
    emit VaultUpdated(vaultAddress, enabled, maxPrimaryBorrowCapacity);
}

// contracts-v2/contracts/internal/vaults/VaultAccount.sol
function borrowAndEnterVault(
    VaultAccount memory vaultAccount,
    VaultConfig memory vaultConfig,
    uint256 maturity,
    uint256 fCashToBorrow,
    uint32 maxBorrowRate,
    bytes calldata vaultData,
    uint256 strategyTokenDeposit,
    uint256 additionalUnderlyingExternal
) internal returns (uint256 strategyTokensAdded) {
        ......    
        VaultConfiguration.checkValidMaturity(
            vaultConfig.borrowCurrencyId,
            maturity,
            vaultConfig.maxBorrowMarketIndex,
            block.timestamp
        );

// contracts-v2/contracts/internal/vaults/VaultConfiguration.sol
function checkValidMaturity(
    uint16 currencyId,
    uint256 maturity,
    uint256 maxBorrowMarketIndex,
    uint256 blockTime
) internal view returns (uint256 marketIndex) {
    bool isIdiosyncratic;
    uint8 maxMarketIndex = CashGroup.getMaxMarketIndex(currencyId);
    (marketIndex, isIdiosyncratic) = DateTime.getMarketIndex(maxMarketIndex, maturity, blockTime);
    require(marketIndex <= maxBorrowMarketIndex, "Invalid Maturity");
    require(!isIdiosyncratic, "Invalid Maturity");
}

Tool used

vscode Manual Review

Recommendation

check maxBorrowMarketIndex