duc - `totalBorrow.elastic` can exceed the totalBorrowCap, resulting in the risk of overflow in `_accrue()` function due to an incorrect limit cap of extraAmount. #142
totalBorrow.elastic can exceed the totalBorrowCap, resulting in the risk of overflow in _accrue() function due to an incorrect limit cap of extraAmount.
Summary
See vulnerability detail
Vulnerability Detail
When accruing interests, totalBorrow.elastic can exceed the totalBorrowCap of the market because it isn't capped in the _accrue function.
In the BBCommon._accrue function, extraAmount is capped to avoid overflow risk:
// cap `extraAmount` to avoid overflow risk when converting it from uint256 to uint128
uint256 max = type(uint128).max - totalBorrowCap;
if (extraAmount > max) {
extraAmount = max;
}
_totalBorrow.elastic += extraAmount.toUint128();
However, if _totalBorrow.elastic is higher than totalBorrowCap before this function, _totalBorrow.elastic + extraAmount may overflow. This is because _totalBorrow.elastic is a uint128 variable, and max > type(uint128).max - _totalBorrow.elastic.
Impact
The market may break after accruing a lot of interest.
duc
medium
totalBorrow.elastic
can exceed the totalBorrowCap, resulting in the risk of overflow in_accrue()
function due to an incorrect limit cap of extraAmount.Summary
See vulnerability detail
Vulnerability Detail
When accruing interests,
totalBorrow.elastic
can exceed the totalBorrowCap of the market because it isn't capped in the_accrue
function.In the
BBCommon._accrue
function,extraAmount
is capped to avoid overflow risk:However, if
_totalBorrow.elastic
is higher than totalBorrowCap before this function,_totalBorrow.elastic + extraAmount
may overflow. This is because_totalBorrow.elastic
is a uint128 variable, andmax
>type(uint128).max - _totalBorrow.elastic
.Impact
The market may break after accruing a lot of interest.
Code Snippet
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBCommon.sol#L104-L112
Tool used
Manual Review
Recommendation
Should cap
extraAmount
bytype(uint128).max - _totalBorrow.elastic
:Duplicate of #41