deposit() function in AssetsProcess contract fails to restrict a user from depositing amounts greater than collateralUserCap
Summary
The deposit() function in AssetsProcess is intended to handle deposit calls from the AccountFacet contract and update the account's token balance. The function includes checks to ensure the total deposit does not exceed collateralTotalCap and collateralUserCap. While the collateralTotalCap constraint is applied correctly, the code fails to enforce the collateralUserCap. This vulnerability allows a user to deposit an amount greater than collateralUserCap.
Vulnerability Detail
The issue lies in the deposit() function in the AssetsProcess contract.
As seen in line 96 of the code, the current deposit amount (params.amount) is not considered while checking the collateralUserCap. This allows a user to deposit an amount greater than the collateralUserCap.
Impact
This vulnerability allows users to deposit an amount larger than the collateralUserCap. This will give an unfair advantage to some users who exploit this vulnerability and deposit very large amounts initially.
0xAadi
Medium
deposit()
function inAssetsProcess
contract fails to restrict a user from depositing amounts greater thancollateralUserCap
Summary
The
deposit()
function inAssetsProcess
is intended to handle deposit calls from theAccountFacet
contract and update the account's token balance. The function includes checks to ensure the total deposit does not exceedcollateralTotalCap
andcollateralUserCap
. While thecollateralTotalCap
constraint is applied correctly, the code fails to enforce thecollateralUserCap
. This vulnerability allows a user to deposit an amount greater thancollateralUserCap
.Vulnerability Detail
The issue lies in the
deposit()
function in theAssetsProcess
contract.https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/8a1a01804a7de7f73a04d794bf6b8104528681ad/elfi-perp-contracts/contracts/process/AssetsProcess.sol#L91C1-L99C70
As seen in line 96 of the code, the current deposit amount (
params.amount
) is not considered while checking thecollateralUserCap
. This allows a user to deposit an amount greater than thecollateralUserCap
.Impact
This vulnerability allows users to deposit an amount larger than the
collateralUserCap
. This will give an unfair advantage to some users who exploit this vulnerability and deposit very large amounts initially.Code Snippet
https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/8a1a01804a7de7f73a04d794bf6b8104528681ad/elfi-perp-contracts/contracts/process/AssetsProcess.sol#L96
Tool used
Manual Review
Recommendation
Update the
deposit
function to account for the current deposit amount while applying thecollateralUserCap
constraint.Duplicate of #262