seerether - Calling the kickWithDeposit function with insufficient deposit balance depletes User's deposits

[sherlock-admin]

seerether

high

Calling the kickWithDeposit function with insufficient deposit balance depletes User's deposits

Summary

There is no check to ensure that the lender's deposit has sufficient funds to cover this amount. If the lender's deposit is insufficient, the function will revert with the InsufficientLiquidity() error, but any gas consumed before the revert will be lost.

Vulnerability Detail

This vulnerability allows an attacker to repeatedly call the kickWithDeposit function, consuming gas each time, even if they don't have sufficient funds in their deposit. By doing this, the attacker can potentially cause a denial-of-service (DoS) attack by exhausting the gas limit of the block and also result to wasted transaction costs for honest participants due to unnecessary gas consumption

Impact

Users will lose funds by paying for the gas consumed during the execution of the function, even though the transaction did not succeed due to insufficient liquidity.

Code Snippet

https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/libraries/external/KickerActions.sol#L239

Tool used

Manual Review

Recommendation

Add a check before deducting the amount from the lender's deposit. If the vars.amountToDebitFromDeposit is greater than the lender's deposit, the code reverts with the InsufficientLiquidity() error. This ensures that the lender's deposit has sufficient funds to cover the requested amount, and any gas consumed before the revert is prevented. This prevents the loss of gas fees https://github.com/seerether/Agna/blob/d9b6fd487967abe85dac8e27a32a76c139fdb64f/Ajnamitigate7#L79-L82

[hrishibhat]

Users will lose funds by paying for the gas consumed during the execution of the function, even though the transaction did not succeed due to insufficient liquidity.

Not a valid medium