Pool.addQuoteToken rounding issue that can be used by a malicious user to round in the user's favor
Summary
When a lender is adding quote tokens via Pool.addQuoteToken(), LenderActions.addQuoteToken() is called, where the addedAmount can be potentially rouned in favor of the user.
Vulnerability Detail
When adding quote tokens, amount_ is a param of the Pool.addQuoteToken function, chosen by the lender.
The Maths.wmul function is either rounding up or rounding down to the nearest WAD = 10**18, sometimes in favor of the protocol and sometimes against the protocol.
If the Maths.wmul function is rounding up and assigning the result to addedAmount, this is not in favor of the protocol but in favor of the user. Because addedAmount is then used to determine the users bucketLP_:
The received amount of lp for the user can potentially be rounded up and the rounding can be in favor of the user.
Important note: Since the user can choose the addedAmount as shown above, they can influence the rounding that happens inside Maths.wmul() to make sure that the protocol will favor them by rounding up their lps.
Another note: Inside Pool.addQuoteToken the function _roundToScale is called that rounds the amount_ param to token precision. But poolState.quoteTokenScale is very likely to be smaller than WAD, which means that the rounding does not counter the Maths.wmul rounding.
lemonmon
high
Pool.addQuoteToken
rounding issue that can be used by a malicious user to round in the user's favorSummary
When a lender is adding quote tokens via
Pool.addQuoteToken()
,LenderActions.addQuoteToken()
is called, where theaddedAmount
can be potentially rouned in favor of the user.Vulnerability Detail
When adding quote tokens,
amount_
is a param of thePool.addQuoteToken
function, chosen by the lender.https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/base/Pool.sol#L146-L147
The
amount_
param is then passed to theLenderActions.addQuoteToken
function (line 163):https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/base/Pool.sol#L158-L163
LenderActions.addQuoteToken()
is then assigning the amount toaddedAmount
:https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/libraries/external/LenderActions.sol#L170
Then if the deposit is below the LUP, the
addedAmount
is adjusted by using theMaths.wmul
function:https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/libraries/external/LenderActions.sol#L176
The
Maths.wmul
function is either rounding up or rounding down to the nearestWAD = 10**18
, sometimes in favor of the protocol and sometimes against the protocol.If the
Maths.wmul
function is rounding up and assigning the result toaddedAmount
, this is not in favor of the protocol but in favor of the user. BecauseaddedAmount
is then used to determine the usersbucketLP_
:https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/libraries/external/LenderActions.sol#L179-L183
The received amount of lp for the user can potentially be rounded up and the rounding can be in favor of the user.
Important note: Since the user can choose the
addedAmount
as shown above, they can influence the rounding that happens insideMaths.wmul()
to make sure that the protocol will favor them by rounding up their lps.Another note: Inside
Pool.addQuoteToken
the function_roundToScale
is called that rounds theamount_
param to token precision. ButpoolState.quoteTokenScale
is very likely to be smaller thanWAD
, which means that the rounding does not counter theMaths.wmul
rounding.https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/base/Pool.sol#L155
Impact
When adding quote tokens, a lender can add an
amount_
of their choice, so that the protocol is rounding in favor of the lender. This can be exploited.Code Snippet
https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/base/Pool.sol#L146-L147
https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/base/Pool.sol#L158-L163
https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/libraries/external/LenderActions.sol#L170
https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/libraries/external/LenderActions.sol#L176
https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/libraries/external/LenderActions.sol#L179-L183
https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/base/Pool.sol#L155
Tool used
Manual Review
Recommendation
Make sure that
LenderActions.addQuoteToken()
doesn't round theaddedAmount
in favor of the user.