search

sherlock-audit / 2023-04-blueberry-judging

8 stars 5 forks source link

SanketKogekar - The function `lend()` from `BlueBerryBank.sol` accepts 0 amount of tokens from the user #150

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

SanketKogekar

medium

The function lend() from BlueBerryBank.sol accepts 0 amount of tokens from the user

Summary

The function lend() from BlueBerryBank.sol accepts 0 amount of tokens from the user

Vulnerability Detail

lend() allows user to deposit 0 tokens in the contract.

function lend(
        address token,
        uint256 amount
    ) external override inExec poke(token) onlyWhitelistedToken(token) {
        if (!isLendAllowed()) revert Errors.LEND_NOT_ALLOWED();

        Position storage pos = positions[POSITION_ID];
        Bank storage bank = banks[token];
        if (pos.underlyingToken != address(0)) {
            // already have isolated collateral, allow same isolated collateral
            if (pos.underlyingToken != token)
                revert Errors.INCORRECT_UNDERLYING(token);
        } else {
            pos.underlyingToken = token;
        }

        IERC20Upgradeable(token).safeTransferFrom(
            pos.owner,
            address(this),
            amount
        );
        _ensureApprove(token, address(feeManager), amount);
        amount = feeManager.doCutDepositFee(token, amount);
...

Impact

Code Snippet

https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/BlueBerryBank.sol#L602

Tool used

Manual Review

Recommendation

Revert if amount == 0 to avoid 0 transfer