search

sherlock-audit / 2024-02-leverage-contracts-judging

1 stars 0 forks source link

0xDetermination - Min fee enforcement can cause borrowers to pay too many fees #36

Closed sherlock-admin2 closed 8 months ago

sherlock-admin2 commented 8 months ago

0xDetermination

medium

Min fee enforcement can cause borrowers to pay too many fees

Summary

The min fee enforcement mechanism _calcFeeCompensationUpToMin() in repay() can cause borrowers to pay too many fees.

Vulnerability Detail

The code below in repay() enforces a min fee payment per loan:

            if (collateralBalance > 0) {
                uint256 compensation = _calcFeeCompensationUpToMin(
                    collateralBalance,
                    currentFees,
                    borrowing.feesOwed
                );
                currentFees += compensation;
    function _calcFeeCompensationUpToMin(
        int256 collateralBalance,
        uint256 currentFees,
        uint256 feesOwed
    ) private pure returns (uint256 compensation) {
        uint256 minimum = Constants.MINIMUM_AMOUNT * Constants.COLLATERAL_BALANCE_PRECISION;
        uint256 total = currentFees + feesOwed;
        if (total < minimum) {
            compensation = minimum - total;
            if (uint256(collateralBalance) < compensation) {
                compensation = uint256(collateralBalance);
            }
        }
    }

But if the min fee has already been collected and borrowing.feesOwed is below the minimum fee, for example if harvest() was just called, then the borrower's collateral will be reduced by the min fee again and it will be paid to the lender a second time.

Impact

Borrowers pay too many fees. Lenders can frontrun repay() to steal some extra fees.

Code Snippet

https://github.com/sherlock-audit/2024-02-leverage-contracts/blob/main/wagmi-leverage/contracts/LiquidityBorrowingManager.sol#L617-L623 https://github.com/sherlock-audit/2024-02-leverage-contracts/blob/main/wagmi-leverage/contracts/LiquidityBorrowingManager.sol#L758-L771

Tool used

Manual Review

Recommendation

This could be tricky to fix, one possible solution is to track whether or not the min fee has been collected for a loan and conditionally waive the min fee enforcement in repay().

Duplicate of #37