search

sherlock-audit / 2023-10-real-wagmi-judging

16 stars 14 forks source link

Avci - the contracts aren't ready for using some tokens that uniswap v3 supports. #192

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

Avci

medium

the contracts aren't ready for using some tokens that uniswap v3 supports.

Summary

the contracts aren't ready for using some tokens that uniswap v3 supports.

Vulnerability Detail

the contracts are supposed to not work with FEE-ON-TRANSFER and rebasing tokens as the TEAM said. But the problem is they also said that they accept whatever tokens that uniswap v3 accepts because it is the liquidity source of the contract liquidity flow and the interesting part is the uniswap v3 doesn't accept FEE-ON-TRANSFER tokens but it ACCEPTS Rebasing tokens as uni v3 doc said you can check it in here https://docs.uniswap.org/concepts/protocol/integration-issues#:~:text=Fee%2Don%2Dtransfer%20Tokens%E2%80%8B,transfer%20tokens%20in%20the%20future.

|| Rebasing Tokens Rebasing tokens will succeed in pool creation and swapping, but liquidity providers will bear the loss of a negative rebase when their position becomes active, with no way to recover the loss.

Q: Are there any FEE-ON-TRANSFER tokens interacting with the smart contracts? no

Q: Are there any REBASING tokens interacting with the smart contracts? no

BUT in the same time it accepts every token uni v3 accepts but there is no restriction for rebasing tokens which is pretty accepted in univ3 and since this contracts also accepts it.

Impact

it will not fit the contracts logic as normal tokens but will succeed in pool creation and swapping, but liquidity providers will bear the loss of a negative rebase when their position becomes active, with no way to recover the loss.

Rebasing tokens, which have changing supplies based on factors like market conditions, can introduce a number of risks when used in borrowing contracts

Code Snippet


    function borrow(
        BorrowParams calldata params,
        uint256 deadline
    ) external nonReentrant checkDeadline(deadline) {
        // Precalculating borrowing details and storing them in cache
        BorrowCache memory cache = _precalculateBorrowing(params);
        // Initializing borrowing variables and obtaining borrowing key
        (
            uint256 feesDebt,
            bytes32 borrowingKey,
            BorrowingInfo storage borrowing
        ) = _initOrUpdateBorrowing(params.saleToken, params.holdToken, cache.accLoanRatePerSeconds);
        // Adding borrowing key and loans information to storage
        _addKeysAndLoansInfo(borrowing.borrowedAmount > 0, borrowingKey, params.loans);
        // Calculating liquidation bonus based on hold token, borrowed amount, and number of used loans
        uint256 liquidationBonus = getLiquidationBonus(
            params.holdToken,
            cache.borrowedAmount,
            params.loans.length
        );
        // Updating borrowing details
        borrowing.borrowedAmount += cache.borrowedAmount;
        borrowing.liquidationBonus += liquidationBonus;
        borrowing.dailyRateCollateralBalance +=
            cache.dailyRateCollateral *
            Constants.COLLATERAL_BALANCE_PRECISION;
        // Checking if borrowing collateral exceeds the maximum allowed collateral
        uint256 borrowingCollateral = cache.borrowedAmount - cache.holdTokenBalance;
        (borrowingCollateral > params.maxCollateral).revertError(
            ErrLib.ErrorCode.TOO_BIG_COLLATERAL
        );

        // Transfer the required tokens to the VAULT_ADDRESS for collateral and holdTokenBalance
        _pay(
            params.holdToken,
            msg.sender,
            VAULT_ADDRESS,
            borrowingCollateral + liquidationBonus + cache.dailyRateCollateral + feesDebt
        );
        // Transferring holdTokenBalance to VAULT_ADDRESS
        _pay(params.holdToken, address(this), VAULT_ADDRESS, cache.holdTokenBalance);
        // Emit the Borrow event with the borrower, borrowing key, and borrowed amount
        emit Borrow(
            msg.sender,
            borrowingKey,
            cache.borrowedAmount,
            borrowingCollateral,
            liquidationBonus,
            cache.dailyRateCollateral
        );
    }

https://github.com/sherlock-audit/2023-10-real-wagmi/blob/b33752757fd6a9f404b8577c1eae6c5774b3a0db/wagmi-leverage/contracts/LiquidityBorrowingManager.sol#L465C8-L465C8

Tool used

Manual Review

Recommendation

sherlock-admin2 commented 1 year ago

1 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

It is explicitly mentioned in the README that these tokens are not accepted as valid