Closed sherlock-admin2 closed 4 months ago
This issue is invalid because there's no impact.
The increase in liquidity results from the attacker depositing liquidity and doesn't lead to any exploit. The increase in the interest rate results from the increase in utilization, which is the intended design of the protocol.
Squilliam
medium
[M-6]
Deposit
&Borrow
inMarket.sol
allows for Repeated Lending and Borrowing the same token within a single transaction, which enables Liquidity Manipulation and Interest Rate ManipulationSummary
The
Market.sol
contract's vulnerability, permitting repeated lending and borrowing of the same token in a single transaction, poses a significant risk, enabling malicious actors to manipulate interest rates and liquidity for a specific token. This dangerous exploit can result in the artificial inflation of liquidity, allowing attackers to borrow a substantial portion of the deposited amount, ultimately disrupting market dynamics and causing unpredictable interest rate fluctuations.Vulnerability Detail
Create a new file in the test folder and add the following tests:
Run these tests with
forge test --mt testLiquidityManipulation
andforge test --mt testInterestRateManipulation
A walk-through of these tests:
The
testLiquidityManipulation
test does the following:testInterestRateManipulation
does the following:The attacker deposits a significant amount of WETH as collateral.
The initial interest rate of the WETH market is recorded.
3.The attacker repeatedly lends and borrows WETH within a single transaction, artificially inflating the liquidity and borrowing a significant portion of the deposited amount.
Impact
By exploiting the vulnerability in the
Market.sol
contract, an attacker can manipulate both liquidity and interest rates of a specific token. This can lead to distorted market conditions, enabling further exploits such as interest rate manipulation and price manipulation, resulting in financial losses for other users and destabilizing the protocol. Additionally, manipulating interest rates can cause borrowers to face higher rates and lenders to receive lower returns than expected, ultimately undermining user trust and the protocol's stability.Code Snippet
The
deposit
function from theERC4626
interface which theMarket.sol
contract inherits from:https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/Market.sol?plain=1#L15
This is the
ERC4626
interface'sdeposit
function: https://github.com/transmissions11/solmate/blob/main/src/tokens/ERC4626.sol?plain=1#L46-L58The
borrow
function inMarket.sol
https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/Market.sol?plain=1#L140-L169Tool used
Foundry Manual Review
Recommendation
To mitigate this vulnerability, the
Market.sol
contract should implement measures to prevent repeated lending and borrowing within a single transaction. This can be achieved by: