The collateral redeemed but not collected yet may be borrowed by AMO minter, causing user to fail to collect them.
Summary
The collaterals redeemed but not collected yet by user should stay in the pool, and wait for user to collect them. But AMO minter still can borrow that collaterals, causing user to fail to collect them.
Vulnerability Detail
AMO minter can borrow the collateral from the ubiquity pool, as long as the borrowed amount does not exceed the pool's balance of that collateral.The balance of the coolateral in the pool includes the amount that has been redeemed by users.
574: function amoMinterBorrow(uint256 collateralAmount) internal onlyAmoMinter {
575: UbiquityPoolStorage storage poolStorage = ubiquityPoolStorage();
576:
577: // checks the collateral index of the minter as an additional safety check
578: uint256 minterCollateralIndex = IDollarAmoMinter(msg.sender)
579: .collateralIndex();
580:
581: // checks to see if borrowing is paused
582: require(
583: poolStorage.isBorrowPaused[minterCollateralIndex] == false,
584: "Borrowing is paused"
585: );
586:
587: // ensure collateral is enabled
588: require(
589: poolStorage.isCollateralEnabled[
590: poolStorage.collateralAddresses[minterCollateralIndex]
591: ],
592: "Collateral disabled"
593: );
594:
595: // transfer
596:-> IERC20(poolStorage.collateralAddresses[minterCollateralIndex])
597: .safeTransfer(msg.sender, collateralAmount);
598: }
If balance - unclaimedAmount < amoMinterBorrowAmount <= balance, the borrow transaction will succeed. But subsequent collection transactions will fail, as the pool's balance of the collateral will be insufficient for the collect amount.
ydlee
medium
The collateral redeemed but not collected yet may be borrowed by AMO minter, causing user to fail to collect them.
Summary
The collaterals redeemed but not collected yet by user should stay in the pool, and wait for user to collect them. But AMO minter still can borrow that collaterals, causing user to fail to collect them.
Vulnerability Detail
AMO minter can borrow the collateral from the ubiquity pool, as long as the borrowed amount does not exceed the pool's balance of that collateral.The balance of the coolateral in the pool includes the amount that has been redeemed by users.
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L574-L598
If
balance - unclaimedAmount < amoMinterBorrowAmount <= balance
, the borrow transaction will succeed. But subsequent collection transactions will fail, as the pool's balance of the collateral will be insufficient for the collect amount.https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L494-L516
Impact
The collaterals redeemed but not collected yet may be borrowed by AMO minter, causing user to fail to collect them.
Code Snippet
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L574-L598
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L494-L516
Tool used
Manual Review
Recommendation
While AMO borrowing collaterals, check that the borrow amount is not greater than the balance minus the unclaimed amount.
Duplicate of #1