search

sherlock-audit / 2023-04-ajna-judging

4 stars 3 forks source link

lemonmon - `Pool.addQuoteToken` rounding issue that can be used by a malicious user to round in the user's favor #101

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

lemonmon

high

Pool.addQuoteToken rounding issue that can be used by a malicious user to round in the user's favor

Summary

When a lender is adding quote tokens via Pool.addQuoteToken(), LenderActions.addQuoteToken() is called, where the addedAmount can be potentially rouned in favor of the user.

Vulnerability Detail

When adding quote tokens, amount_ is a param of the Pool.addQuoteToken function, chosen by the lender.

https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/base/Pool.sol#L146-L147

The amount_ param is then passed to the LenderActions.addQuoteToken function (line 163):

https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/base/Pool.sol#L158-L163

LenderActions.addQuoteToken() is then assigning the amount to addedAmount:

https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/libraries/external/LenderActions.sol#L170

Then if the deposit is below the LUP, the addedAmount is adjusted by using the Maths.wmul function:

https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/libraries/external/LenderActions.sol#L176

The Maths.wmul function is either rounding up or rounding down to the nearest WAD = 10**18, sometimes in favor of the protocol and sometimes against the protocol.

If the Maths.wmul function is rounding up and assigning the result to addedAmount, this is not in favor of the protocol but in favor of the user. Because addedAmount is then used to determine the users bucketLP_:

https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/libraries/external/LenderActions.sol#L179-L183

The received amount of lp for the user can potentially be rounded up and the rounding can be in favor of the user.

Important note: Since the user can choose the addedAmount as shown above, they can influence the rounding that happens inside Maths.wmul() to make sure that the protocol will favor them by rounding up their lps.

Another note: Inside Pool.addQuoteToken the function _roundToScale is called that rounds the amount_ param to token precision. But poolState.quoteTokenScale is very likely to be smaller than WAD, which means that the rounding does not counter the Maths.wmul rounding.

https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/base/Pool.sol#L155

Impact

When adding quote tokens, a lender can add an amount_ of their choice, so that the protocol is rounding in favor of the lender. This can be exploited.

Code Snippet

https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/base/Pool.sol#L146-L147

https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/base/Pool.sol#L158-L163

https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/libraries/external/LenderActions.sol#L170

https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/libraries/external/LenderActions.sol#L176

https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/libraries/external/LenderActions.sol#L179-L183

https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/base/Pool.sol#L155

Tool used

Manual Review

Recommendation

Make sure that LenderActions.addQuoteToken() doesn't round the addedAmount in favor of the user.