Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong Operator used for expectedCollateral #98

Open
c4-bot-8 opened this issue Jul 5, 2024 · 0 comments
Open

Wrong Operator used for expectedCollateral #98

c4-bot-8 opened this issue Jul 5, 2024 · 0 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working 🤖_primary AI based primary recommendation 🤖_28_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@c4-bot-8
Copy link
Contributor

c4-bot-8 commented Jul 5, 2024

Lines of code

https://github.com/code-423n4/2024-06-badger/blob/9173558ee1ac8a78a7ae0a39b97b50ff0dd9e0f8/ebtc-zap-router/src/LeverageZapRouterBase.sol#L265-L274
https://github.com/code-423n4/2024-06-badger/blob/9173558ee1ac8a78a7ae0a39b97b50ff0dd9e0f8/ebtc-protocol/packages/contracts/contracts/LeverageMacroBase.sol#L211
https://github.com/code-423n4/2024-06-badger/blob/9173558ee1ac8a78a7ae0a39b97b50ff0dd9e0f8/ebtc-protocol/packages/contracts/contracts/LeverageMacroBase.sol#L281-L282

Vulnerability details

Impact

In PostCheckParams, the expectedCollateral is initialized as _totalCollateral * _collValidationBuffer / BPS with a gte operator. This signifies that the check is _totalCollateral * _collValidationBuffer / BPS >= cdpInfo.coll which is inconsistent with the intended design. As a slippage control, the cdpInfo.coll is expected to be higher than _collValidationBuffer of _totalCollateral provided.

Proof of Concept

In PostCheckParams, the expectedCollateral is initialized as _totalCollateral * _collValidationBuffer / BPS with a gte operator.

	expectedCollateral: CheckValueAndType({
		value:  _totalCollateral * _collValidationBuffer / BPS,
		operator: Operator.gte
	}),

It is later used in the postcheck.

	 _doCheckValueType(checkParams.expectedCollateral, cdpInfo.coll);

This actually checks that:

	check.value = _totalCollateral * _collValidationBuffer / BPS >= cdpInfo.coll

According to the sponsor, this is used as a laxer check post swap: when you expect after openCdp, the collateral will be 5 stETH, setting it to 100% will ensure that the collateral is at least 5 stETH.

This is not consistent with what is checking here and thus it is an invalid check which will cause unexpected revert and prevent the protocol from working correctly.

Tools Used

Manual

Recommended Mitigation Steps

Change the operator from gte to lte.

Assessed type

Invalid Validation
@c4-bot-8 c4-bot-8 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jul 5, 2024
c4-bot-5 added a commit that referenced this issue Jul 5, 2024
@c4-bot-5
jesjupyter issue #98
2b66062
@c4-bot-12 c4-bot-12 added 🤖_28_group AI based duplicate group recommendation 🤖_primary AI based primary recommendation labels Jul 8, 2024
howlbot-integration bot added a commit that referenced this issue Jul 10, 2024
@howlbot-integration
jesjupyter update issue #98
1bd5140
@howlbot-integration howlbot-integration bot added the sufficient quality report This report is of sufficient quality label Jul 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working 🤖_primary AI based primary recommendation 🤖_28_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@c4-bot-8 @c4-bot-12