Open sherlock-admin2 opened 7 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid because { valid }
The protocol team fixed this issue in PR/commit https://github.com/notional-finance/contracts-v3/pull/31.
The Lead Senior Watson signed-off on the fix.
bin2chen
medium
getOracleData() maxExternalDeposit not accurate
Summary
in
getOracleData()
The calculation ofmaxExternalDeposit
lacks consideration forreserve.accruedToTreasury
. This leads tomaxExternalDeposit
being too large, causingTreasury.rebalance()
to fail.Vulnerability Detail
in
getOracleData()
However, AAVE's restrictions are as follows: ValidationLogic.sol#L81-L88
The current implementation lacks subtraction of
uint256(reserve.accruedToTreasury)).rayMul(reserveCache.nextLiquidityIndex)
.Impact
An overly large
maxExternalDeposit
may causerebalance()
to be unable to execute.Code Snippet
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/external/pCash/AaveV3HoldingsOracle.sol#L160
Tool used
Manual Review
Recommendation
subtract
uint256(reserve.accruedToTreasury)).rayMul(reserveCache.nextLiquidityIndex)