search

sherlock-audit / 2023-02-blueberry-judging

12 stars 5 forks source link

Avci - wrong calculation in logic of the Lend function #357

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

Avci

high

wrong calculation in logic of the Lend function

Summary

actually, the protocol stores the amount of the underlying token after the fee cut but if the token has the fees it will be wrong because there are fewer tokens with the higher fake amount

Vulnerability Detail

some tokens have fees in transferring process and the lend protocol also do cutting fee it will make issue because after that it gives us amount = doCutDepositFee(token, amount); amount and protocol stores that 

 pos.underlyingToken = token;
        pos.underlyingAmount += amount;

Some tokens take a transfer fee (e.g. STA, PAXG)

Impact

the amount that stored in protocol will not match with the tokens that really in the contract and it will cause really big problems and protocol insolvency

Code Snippet

 function lend(address token, uint256 amount)
        external
        override
        inExec
        poke(token)
        onlyWhitelistedToken(token)
    {
        if (!isLendAllowed()) revert LEND_NOT_ALLOWED();

        Position storage pos = positions[POSITION_ID];
        Bank storage bank = banks[token];
        if (pos.underlyingToken != address(0)) {
            // already have isolated collateral, allow same isolated collateral
            if (pos.underlyingToken != token)
                revert INCORRECT_UNDERLYING(token);
        }

        IERC20Upgradeable(token).safeTransferFrom(
            pos.owner,
            address(this),
            amount
        );
        amount = doCutDepositFee(token, amount);
        pos.underlyingToken = token;
        pos.underlyingAmount += amount;

        if (address(ISoftVault(bank.softVault).uToken()) == token) {
            IERC20Upgradeable(token).approve(bank.softVault, amount);
            pos.underlyingVaultShare += ISoftVault(bank.softVault).deposit(
                amount
            );
        } else {
            IERC20Upgradeable(token).approve(bank.hardVault, amount);
            pos.underlyingVaultShare += IHardVault(bank.hardVault).deposit(
                token,
                amount
            );
        }

        bank.totalLend += amount;

        emit Lend(POSITION_ID, msg.sender, token, amount);
    }

https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/BlueBerryBank.sol#L620

Tool used

Manual Review

Recommendation

Duplicate of #153