Closed sherlock-admin2 closed 9 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid because { valid high findings; watson explained how the protocol makes the false assumption and failing to take account of the correct amounts}
I'm disputing this issue because the redeemability of funds is only a security issue for user funds, not for the protocol's earned funds. Notional as a protocol may have more funds than currenExternalUnderlyingLend on Aave, but only funds that are held by Notional's users are subject to redeemability concerns. If Notional's earned funds are temporarily unredeemable, it doesn't matter. It does't put the protocol or the users at any risk.
xiaoming90
high
Overlending of assets to external market
Summary
The current implementation does not take into consideration the interest earned by the protocol, causing the maximum amount of underlying assets that can be lent on the external market to be overestimated. As a result, overlending to external markets will occur, leading to liquidity issues where the protocol/users are unable to redeem its funds or carry out liquidation activities.
Vulnerability Detail
The
currentExternalUnderlyingLend
stores the amount of underlying assets lend to the external market (AAVE). Note that thecurrentExternalUnderlyingLend
does not include the interest earned from the aToken's rebase.The following is the extract from the Audit Specification provided by the protocol team on the contest page that describes the external withddraw threshold:
Following is the implementation to compute the maximum amount of underlying assets that can be lent on the external market. Per the comment at 67 below, it mentioned that the max amount is a function of the excess redeemable funds on that market (funds that are redeemable in excess of Notional’s own funds on that market) and the
externalWithdrawThreshold
.Focusing on the point "funds that are redeemable in excess of Notional’s own funds on that market". The issue is that the
currentExternalUnderlyingLend
does not represent the entire amount of Notional's own funds on the external market because it does not take into consideration the interest (aToken) held by Notional.As such, it will underestimate the funds (aToken) held by Notional, which in turn overestimates the
maxExternalUnderlyingLend
, resulting in more external lending than expected.For simplicity's sake, consider the simplified example:
In this case, the protocol should not proceed to lend out to the AAVE pool because there is no more redeemable liquidity left. However, since the protocol only used
externalWithdrawThreshold
during the computation, it will mistaken that there is still a buffer of 100 USDC that is not owned by Notional, and proceed to lend externally until the threshold is hit. In the end,Notional's own fund (externalWithdrawThreshold + interest earned held by Notional) > AAVE pool available liquidity for withdrawal
, causing issues when Notional redeems its funds.https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/internal/balances/ExternalLending.sol#L61
Impact
Notional will overlend its assets to the external market even if there is an inadequate amount of liquidity left in the AAVE pool available for withdrawal, leading to liquidity issues where the protocol/users are unable to redeem its funds or liquidation cannot be carried out, resulting in bad debt accumulating within the protocol and negatively affecting the protocol's solvency.
Also, it would be a serious issue if there is an emergency where funds need to be redeemed from AAVE quickly, but there is no or insufficient liquidity left in the AAVE pool to do so.
Code Snippet
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/internal/balances/ExternalLending.sol#L61
Tool used
Manual Review
Recommendation
When the Notional's own fund is used when computing the
maxExternalUnderlyingLend
, it should consist of the following assets for completeness:currentExternalUnderlyingLend