search

sherlock-audit / 2024-02-tapioca-judging

3 stars 2 forks source link

cu5t0mPe0 - Borrowing can exceed the maximum amount #129

Closed sherlock-admin3 closed 4 months ago

sherlock-admin3 commented 4 months ago

cu5t0mPe0

high

Borrowing can exceed the maximum amount

Summary

The borrow function can borrow money multiple times. The amount that can be borrowed can exceed the limit.

Vulnerability Detail

When calculating the borrow function, the value of the current collateral is calculated through _computeAllowanceAmountInAsset, but the current borrowed balance is not checked. Therefore, the user can bypass the maximum borrowing amount by borrowing multiple times.

    function borrow(address from, address to, uint256 amount)
        external
        optionNotPaused(PauseType.Borrow)
        notSelf(to)
        solvent(from, false)
        returns (uint256 part, uint256 share)
    {
        if (amount == 0) return (0, 0);
        penrose.reAccrueBigBangMarkets();

        uint256 feeAmount = _computeVariableOpeningFee(amount);
        uint256 allowanceShare =
            _computeAllowanceAmountInAsset(from, exchangeRate, amount + feeAmount, asset.safeDecimals());
        if (allowanceShare == 0) revert AllowanceNotValid();
        _allowedBorrow(from, allowanceShare);
        (part, share) = _borrow(from, to, amount, feeAmount);
    }

Impact

The amount that users can borrow far exceeds that of collateral

Code Snippet

https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBBorrow.sol#L37-L53

Tool used

Manual Review

Recommendation

Check the amount borrowed

Duplicate of #13

cryptotechmaker commented 4 months ago

Invalid; it's checked by the solvent modifier