search

sherlock-audit / 2022-10-astaria-judging

6 stars 1 forks source link

tives - invalid potentialDebt calculation #251

Closed sherlock-admin closed 2 years ago

sherlock-admin commented 2 years ago

tives

high

invalid potentialDebt calculation

https://github.com/sherlock-audit/2022-10-astaria/blob/main/src/VaultImplementation.sol/#L221

https://github.com/sherlock-audit/2022-10-astaria/blob/main/src/LienToken.sol/#L256

uint256 potentialDebt = seniorDebt * (ld.rate + 1) * ld.duration;

uint256 potentialDebt = totalDebt *
      (impliedRate + 1) *
      params.terms.duration;

potentialDebt is multiplied by ld.rate + 1 and ld.duration. This means that the potentialDebt is doubled every passing second.

Impact

It is impossible to add additional debt to an existing vault. This is because the validateCommitment will fail because of too big potentialDebt:

require(
  potentialDebt <= ld.maxPotentialDebt,
  "Vault._validateCommitment(): Attempting to initiate a loan with debt potentially higher than maxPotentialDebt"
);

PoC

You can add this to AstariaTest

function testTwoCommitments() public {
  // Dummy721 nft = new Dummy721();
  TestNFT nft = new TestNFT(1);
  address tokenContract = address(nft);
  uint256 tokenId = uint256(0);

  uint256 initialBalance = WETH9.balanceOf(address(this));

  // create a PublicVault with a 14-day epoch
  address publicVault = _createPublicVault({
    strategist: strategistOne,
    delegate: strategistTwo,
    epochLength: 14 days
  });

  // lend 50 ether to the PublicVault as address(1)
  _lendToVault(
    Lender({addr: address(1), amountToLend: 50 ether}),
    publicVault
  );

  _commitToLien({
    vault: publicVault,
    strategist: strategistOne,
    strategistPK: strategistOnePK,
    tokenContract: tokenContract,
    tokenId: tokenId,
    lienDetails: standardLien,
    amount: 1 ether,
    isFirstLien: true
  });

  _commitToLien({
    vault: publicVault,
    strategist: strategistOne,
    strategistPK: strategistOnePK,
    tokenContract: tokenContract,
    tokenId: tokenId,
    lienDetails: standardLien,
    amount: 0.1 ether,
    isFirstLien: false
  });

  uint256 collateralId = tokenContract.computeId(tokenId);

  // make sure the borrow was successful
  assertEq(WETH9.balanceOf(address(this)), initialBalance + 2 ether);

  vm.warp(block.timestamp + 9 days);

  _repay(collateralId, 2 ether, address(this));
}

Mitigation

It seems would to me that the debt increase over time should be added to the original debt. Similarly(or some other mathematical function over time):

uint256 potentialDebt = seniorDebt + (ld.rate + 1) * ld.duration;

Duplicate of #182