search

sherlock-audit / 2023-11-olympus-judging

9 stars 7 forks source link

hash - setDebt can be front-runned #173

Closed sherlock-admin closed 6 months ago

sherlock-admin commented 6 months ago

hash

medium

setDebt can be front-runned

Summary

setDebt can be front-runned allowing user to have more debt than accounted

Vulnerability Detail

The setDebt function set's the debt of a debtor.

    function setDebt(
        address debtor_,
        ERC20 token_,
        uint256 amount_
    ) external override permissioned {
        uint256 oldDebt = reserveDebt[token_][debtor_];

        reserveDebt[token_][debtor_] = amount_;

        if (oldDebt < amount_) totalDebt[token_] += amount_ - oldDebt;
        else totalDebt[token_] -= oldDebt - amount_;

        emit DebtSet(token_, debtor_, amount_);
    }

Incase the debtor has approval for more debt, the debtor can first incurDebt to a higher value following which the setDebt will clear off debt higher than the newDebt amount. Vice versa for users who repayDebt.

Impact

Incorrect debt accounting. Some users may be able to have unaccounted debt

Code Snippet

https://github.com/sherlock-audit/2023-11-olympus/blob/9c8df76dc9820b4c6605d2e1e6d87dcfa9e50070/bophades/src/modules/TRSRY/OlympusTreasury.sol#L197-L210

Tool used

Manual Review

Recommendation

Keep an increasal and decreasal mechanism for manipulating reserveDebt values

Duplicate of #23

sherlock-admin2 commented 6 months ago

1 comment(s) were left on this issue during the judging contest.

nirohgo commented:

Invalid because all debt related functions are permissioned and fall under the trusted admin asumption