BBLeverage::buyCollateral Malicious operator can abuse _allowedBorrow approval on Big bang market

Summary

buyCollateral enables a user to deleverage a borrow position on a BigBang market. However in the case an operator uses an user allowance to carry the operation on the user behalf, he can abuse the approval to make the user transfer an arbitrary amount (within the limits of a yieldbox approval to the market).

Vulnerability Detail

We can see that the _allowedBorrow is checked at the end of buyCollateral

However it fails to account that the operator controls slippage incurred here

And thus even though _allowedBorrow is checked, an arbitrarily big amount can be pulled here provided the user has an unlimited approval of the yield box contract to the big bang market.

It is worth to be noted that unlimited approvals are common among users wanting to save on gas.

It is also worth to be noted that the malicious operator has to be approved for some amount of borrow by the user because of this condition

Scenario

Alice has approved operator Bob for 1 wei of borrow on ETH BigBang market.

Bob can call buyCollateral on behalf of Alice, specifying an arbitrary calldata_.supplyAmount which will use Alice's unlimited approval of yieldBox usdo asset here, then swap it using getCollateral and ensure the amountOut to be 1 wei (can use a malicious token on the swap path).

As a result all of the checks have passed, but Alice is drained of her usdo

Impact

allowedBorrow allowance can be abused by a malicious operator to steal tokens from users.

Code Snippet

Tool used

Manual Review

Recommendation

Add an additional check against an oracle to not incur excessive slippage in the getCollateral swap

Alternatively, consider to spend lending allowance when pulling usdo instead of spending borrow allowance when providing collateral

Duplicate of #140

sherlock-audit / 2024-02-tapioca-judging

cergyk - BBLeverage::buyCollateral Malicious operator can abuse _allowedBorrow approval on Big bang market #31