search

sherlock-audit / 2024-04-teller-finance-judging

10 stars 9 forks source link

KupiaSec - `_collateralAmount` is multiplied by `STANDARD_EXPANSION_FACTOR` unreasonably in the collateral check of the `LenderCommitmentGroup_Smart.acceptFundsForAcceptBid()` function. #218

Closed sherlock-admin2 closed 4 months ago

sherlock-admin2 commented 4 months ago

KupiaSec

high

_collateralAmount is multiplied by STANDARD_EXPANSION_FACTOR unreasonably in the collateral check of the LenderCommitmentGroup_Smart.acceptFundsForAcceptBid() function.

Summary

In collateral checking of acceptFundsForAcceptBid(), _collateralAmount is multiplied by STANDARD_EXPANSION_FACTOR unreasonably. So, a user can a large amount of liquidity, even though he has no enough collateral.

Vulnerability Detail

In collateral checking of acceptFundsForAcceptBid(), _collateralAmount is multiplied by STANDARD_EXPANSION_FACTOR. The comment said that it is expanded by 1018. However, it is not expanded by 1018 anywhere.

https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L362-L371


    function acceptFundsForAcceptBid(
        [...]
@>      //this is expanded by 10**18
        uint256 requiredCollateral = getCollateralRequiredForPrincipalAmount(
            _principalAmount
        );

        require(
@>          (_collateralAmount * STANDARD_EXPANSION_FACTOR) >=
                requiredCollateral,
            "Insufficient Borrower Collateral"
        );
        [...]
    }

As a result, a user can a large amount of liquidity, even though he has no enough collateral.

Impact

A user with very loss collateral can borrow a large amount of liquidity. This may lead to a critical loss of fund.

Code Snippet

https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L362-L371

Tool used

Manual Review

Recommendation

    function acceptFundsForAcceptBid(
        [...]

        require(
-           (_collateralAmount * STANDARD_EXPANSION_FACTOR) >=
-               requiredCollateral,
+           _collateralAmount >= requiredCollateral,
            "Insufficient Borrower Collateral"
        );
        [...]
    }

Duplicate of #58