duc - `totalBorrow.elastic` can exceed the totalBorrowCap, resulting in the risk of overflow in `_accrue()` function due to an incorrect limit cap of extraAmount.

[sherlock-admin4]

duc

medium

totalBorrow.elastic can exceed the totalBorrowCap, resulting in the risk of overflow in _accrue() function due to an incorrect limit cap of extraAmount.

Summary

See vulnerability detail

Vulnerability Detail

When accruing interests, totalBorrow.elastic can exceed the totalBorrowCap of the market because it isn't capped in the _accrue function.

In the BBCommon._accrue function, extraAmount is capped to avoid overflow risk:

// cap `extraAmount` to avoid overflow risk when converting it from uint256 to uint128
uint256 max = type(uint128).max - totalBorrowCap;

if (extraAmount > max) {
    extraAmount = max;
}
_totalBorrow.elastic += extraAmount.toUint128();

However, if _totalBorrow.elastic is higher than totalBorrowCap before this function, _totalBorrow.elastic + extraAmount may overflow. This is because _totalBorrow.elastic is a uint128 variable, and max > type(uint128).max - _totalBorrow.elastic.

Impact

The market may break after accruing a lot of interest.

Code Snippet

https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBCommon.sol#L104-L112

Tool used

Manual Review

Recommendation

Should cap extraAmount by type(uint128).max - _totalBorrow.elastic:

uint256 max = type(uint128).max - _totalBorrow.elastic;

if (extraAmount > max) {
    extraAmount = max;
}

Duplicate of #41

[cryptotechmaker]

Duplicate of https://github.com/sherlock-audit/2024-02-tapioca-judging/issues/41